SecurityEngineering/Untrusted Certificates in Windows Child Mode

From MozillaWiki
< SecurityEngineering
Revision as of 19:24, 11 November 2015 by Dkeeler (talk | contribs) (minor edits, remove draft status)
Jump to navigation Jump to search

Recent versions of Windows include "Family Safety" functionality whereby an administrator can put a user's account into "child mode", which enables monitoring of the Internet activity of that user (presumably a child or ward of the administrator). This mechanism appears to work in part by locally proxying all outbound HTTPS traffic. More specifically, the device generates a new key, creates a root certificate corresponding to that key, and adds that root as a trusted anchor in the operating system's root store. Then, when a program running on the child account attempts to make an outbound HTTPS connection, it creates and signs a new certificate that is valid for the target domain and presents that to the program. Meanwhile it initiates a connection to the actual host and prepares to ferry information between the child account and the actual host. If the program uses the operating system's trust store (as Chrome does, for example), it will find that the certificate was issued by a trusted root and the connection will proceed. If, however, the program uses its own trust store (as Firefox does), it will terminate the connection because the certificate was not issued by a trusted root. Furthermore, if the target domain uses HSTS (HTTP Strict Transport Security) or HPKP (HTTP Public Key Pinning), the browser will not allow the user to add a certificate error override (this behavior is required by those specifications). Finding and importing the root certificate into Firefox as a trust anchor would allow connections to proceed as intended, but only the most advanced users will be able to do this. For everyone else in this situation, Firefox is not a functional browser. A few bugs have been filed on this issue: bug 1189110, 1183930, bug 1067174, and bug 1189275 (the latter three have been marked as duplicates of the first one). The number of users who do not know about bugzilla or simply switched browsers almost certainly dwarfs those who were able to reach us. Addressing this situation would help retain existing users and provide choice for those who use "child mode" accounts.

Mozilla maintains its own root certificate program for a number of reasons. Simply trusting every root in the Windows trust database would undermine the purpose of Mozilla's program and the safety it provides users. Similarly, offering to import the issuer of any encountered untrusted certificate severely compromises user security, as at that point any network attacker could present a certificate that has a good chance of becoming trusted by the browser. For this feature to be effective and as safe as possible, it would have to only be available if the user account is in child mode and it would have to identify and import only the root certificate being used to intercept traffic. The former appears to possible: this document identifies registry keys that indicate if the account is in child mode. It is unclear if this is available for all versions of Windows with the Family Safety functionality, however. The latter is more difficult. While there are APIs for querying the operating system's certificate database, and while this document indicates that the root will be called "Microsoft Family Safety Certificate", this could be a malicious root masquerading as the Family Safety root that has been installed by another program. However, if another program has sufficient privileges to add a new trust anchor, it can likely add that same root directly in the Firefox root store without any user intervention (or even replace Firefox entirely, and so on). So, excluding local malicious software as out of scope, there appears to be sufficient platform support to programmatically identify and import the Family Safety root certificate when an account is in child mode.

In implementing the functionality to address accounts in child mode, Firefox needs to make it clear to the user that by trusting the Microsoft Family Safety Certificate, they are allowing another party to monitor their web traffic. Additionally, while it is unclear that inspecting the certificate in question is in any way useful, some users will no doubt expect to be able to do so. Consequently, there should probably be an option to view the certificate being imported.

Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode&oldid=1105234"