Hi, 
Guest
Pic
Sign In

maildev@lists.thunderbird.net

Thunderbird email developers

View all threads

Re: [Maildev] Thunderbird AMO cert pinning

A
Aceman
Tue, Sep 26, 2017 7:35 AM

Od: Ben Bucksch ben.bucksch@beonex.com
Komu: maildev@lists.thunderbird.net
Dátum: 26.09.2017 04:12
Predmet: Re: [Maildev] Thunderbird AMO cert pinning

Andrei Hajdukewycz wrote on 26.09.17 03:35:

So today it was brought to my attention that Thunderbird might pin a
cert for addons.mozilla.org which would mean that TB won't install
add-ons from any other domain, even if there's a rewrite to some other
domain from addons.mozilla.org, or even if we change the prefs.

However, after some effort to build a test setup, I was able to, on TB
56.0b3, cleanly install an add-on from a thunderbird.net domain with
no prompts or errors via the in-client Add-ons panel, after just
changing the prefs to point to thunderbird.net instead of
addons.mozilla.org.

I don't know if this is a bug, whether we never enabled the feature,
or whether changing the prefs automatically bypasses it.

If anyone knows anything about this, that would be helpful!

IIRC, the cert pinning as implemented by Firefox was pinning only the
CA, not the individual cert. So, if you're using the same CA for
thunderbird.net as AMO uses, it would work.

Search for "cert" in FF about:config and TB Prefs | Advanced | Config
Editor. When I do that, I only find cert pinning for updates, for
extension "hotfixes", and for media plugins. So, it appears to me that
there is no cert pinning for AMO.

But I don't know the extension client implementation. The source code
would be your information source.

If I understand the technology of certificate pinning, it does not mean you can't access a different domain (with a different cert). It's not that the domain is fixed anywhere (if you have a pref to set the AMO URL).
It's just that for the specific domain you have chosen to access, the certificate (or CA) is pinned to a specific one and can't be changed. I.e. the browser will not accept any other certificate for the domain, even if it otherwise would appear valid (issued by a legit CA). This is used to avoid accepting faked certificates for domains from another CAs.
Look up the case of a Chinese CA issuing certs for google.com.

______________________________________________________________ > Od: Ben Bucksch <ben.bucksch@beonex.com> > Komu: maildev@lists.thunderbird.net > Dátum: 26.09.2017 04:12 > Predmet: Re: [Maildev] Thunderbird AMO cert pinning > >Andrei Hajdukewycz wrote on 26.09.17 03:35: >> So today it was brought to my attention that Thunderbird *might* pin a >> cert for addons.mozilla.org which would mean that TB won't install >> add-ons from any other domain, even if there's a rewrite to some other >> domain from addons.mozilla.org, or even if we change the prefs. >> >> However, after some effort to build a test setup, I was able to, on TB >> 56.0b3, cleanly install an add-on from a thunderbird.net domain with >> no prompts or errors via the in-client Add-ons panel, after just >> changing the prefs to point to thunderbird.net instead of >> addons.mozilla.org. >> >> I don't know if this is a bug, whether we never enabled the feature, >> or whether changing the prefs automatically bypasses it. >> >> If anyone knows anything about this, that would be helpful! > > >IIRC, the cert pinning as implemented by Firefox was pinning only the >CA, not the individual cert. So, if you're using the same CA for >thunderbird.net as AMO uses, it would work. > >Search for "cert" in FF about:config and TB Prefs | Advanced | Config >Editor. When I do that, I only find cert pinning for updates, for >extension "hotfixes", and for media plugins. So, it appears to me that >there is no cert pinning for AMO. > >But I don't know the extension client implementation. The source code >would be your information source. If I understand the technology of certificate pinning, it does not mean you can't access a different domain (with a different cert). It's not that the domain is fixed anywhere (if you have a pref to set the AMO URL). It's just that for the specific domain you have chosen to access, the certificate (or CA) is pinned to a specific one and can't be changed. I.e. the browser will not accept any other certificate for the domain, even if it otherwise would appear valid (issued by a legit CA). This is used to avoid accepting faked certificates for domains from another CAs. Look up the case of a Chinese CA issuing certs for google.com.
Empathy v1.0   2025 ©Harmonylists.com