MozillaWiki

SecurityEngineering/Untrusted Certificates in Windows Child Mode: Difference between revisions

Page Discussion

SecurityEngineering/Untrusted Certificates in Windows Child Mode (view source)

Revision as of 23:39, 18 November 2015

29 bytes removed ,  18 November 2015
edited for brevity
(you get a paragraph, you get a paragraph - everyone look under your seats!)
(edited for brevity)
 
Line 11: Line 11:
A more targeted approach would be to only offer to import the Family Safety root certificate if the user account is in child mode. According to [https://msdn.microsoft.com/en-us/library/windows/desktop/jj155495%28v=vs.85%29.aspx this document], there are registry keys that indicate if this is the case. Once Firefox has identified that an account is in child mode, it needs to import and trust only the Family Safety root certificate. There are APIs for querying the operating system's certificate database and [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 this document] indicates that the root will be called "Microsoft Family Safety Certificate". This solution would be the safest option for users.
A more targeted approach would be to only offer to import the Family Safety root certificate if the user account is in child mode. According to [https://msdn.microsoft.com/en-us/library/windows/desktop/jj155495%28v=vs.85%29.aspx this document], there are registry keys that indicate if this is the case. Once Firefox has identified that an account is in child mode, it needs to import and trust only the Family Safety root certificate. There are APIs for querying the operating system's certificate database and [https://support.microsoft.com/en-us/kb/2965142#bookmark-2 this document] indicates that the root will be called "Microsoft Family Safety Certificate". This solution would be the safest option for users.


Next, in terms of messaging, Firefox needs to make it clear to the user that by trusting the Microsoft Family Safety Certificate, they are allowing another party to monitor their web traffic. Additionally, while it is unclear that inspecting the certificate in question is in any way useful, some users will no doubt expect to be able to do so. Consequently, there should probably be an option to view the certificate being imported.
Firefox needs to make it clear to the user that by trusting the Microsoft Family Safety Certificate, they are allowing another party to monitor their web traffic. Additionally, while it is unclear that inspecting the certificate in question is in any way useful, some users will no doubt expect to be able to do so. Consequently, there should probably be an option to view the certificate being imported.


As a final note, locally-running malicious software that masquerades as the Windows Family Safety mechanism is considered out of scope for this project. If another program has sufficient privileges to add a new trust anchor and modify registry keys, it can likely add that same root directly into the Firefox root store without any user intervention (or even replace Firefox entirely, and so on). We cannot realistically defend against this threat.
As a final note, locally-running malicious software that masquerades as the Windows Family Safety mechanism is considered out of scope for this project. If another program has sufficient privileges to add a new trust anchor and modify registry keys, it can likely add that same root directly into the Firefox root store without any user intervention (or even replace Firefox entirely, and so on). We cannot realistically defend against this threat.
Dkeeler
Confirmed users
299

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1106346"