PSM:MozAppsWithSharedNSSDB
Introduction
Planning document for the NSS shared database feature in all Mozilla applications. The work is to be done in module PSM (core code).
Firefox et. al. use NSS for crypto operations (SSL etc.). Each Mozilla application profile directory contains several NSS database files which contain personal certificates, the key to encrypt remembered passwords, trust information for certificate authorities, information about installed external crypto hardware (e.g. smartcards), etc.
As of today, all the above must be managed for each application and profile separately. It's desirable to share this information across multiple applications and profiles. By default, this storage shall be user specific across all NSS based applications. This page is about the required changes to Mozilla/PSM in order to make this sharing happen.
Decisions to be made
On Linux, Mac OSX and other unix platforms: $HOME/.nssdb/
(However, on some SuSE Linux systems the shared database feature has already been enabled for applications, and the default path used is: $HOME/.local/var/pki/nssdb/ )
On Windows: %APPDATA%\NSS\
On Mac OSX: $HOME/Library/Application Support/NSS/
Disadvantage of using a default path
Usually the path to Mozilla profile files contain a random component, a salt. For example, on Linux systems the path is ~/.mozilla/firefox/xxxxxxxx.default/ where xxxxxxxx is a random value.
The use of the salt makes it harder for malicious web sites to use potential application exploits to steal a user's files, because the salt is unknown to the attacker.
When switching to a user specific default path that shall work with any NSS based application, it seems necessary to stop using a salt component.
As a consequence the path to a user's default certificate database files will be known.