Security/Features/Strange SSL Cert Change Alert

Status

Team

Open issues/risks

Any notary-based component has the potential to be a privacy threat to users.

Stage 1: Definition

1. Feature overview

Under current SSL PKI, any CA can issue a certificate for any service, making any CA a potential point of total failure. At least several CA's, including Comodo and DigiNotar have been successfully attacked, and have issued cryptographicall valid but incorrect certificates for a number of sites, including *.*.com and *.*.org. So: current PKI may validate certificates that are not actually correct.

When users trust SSL, they may put financial or sensitive personal information on the line. If the certificate they trust is part of a MITM attack by a criminal gang, a user's money may be stolen. If the certificate they trust is part of a MITM by an oppressive government, they may be tortured to death.

Some of the time, these incorrect certificates would be obviously suspicious to manual inspection, even though they satisfy the automated PKI requirements. For instance, if a popular US-based mail service appears to have renewed its two-month-old SSL certificate at a small Dutch CA, something may be amiss.

Firefox should heuristically attempt to identify some of these cases, and should warn the user or perform additional checks if there is reason to be suspicious of a certificate.

2. Users & use cases

All users benefit whenever they trust an SSL connection.

The following are examples of situations which might prompt suspicion: - a site's certificate changes from one CA to another; - a site's certificate changes when it is not near expiry; or - a site's certificate changes from EV to DV.

The following are examples of actions Firefox might take if a certificate is suspicious: - treat the certificate as untrusted; - contact a Mozilla-run notary to ask about the certificate; or - contact a Mozilla-run notary to warn about a suspected attack.

3. Dependencies

`

4. Requirements

Any combination of suspicion and notary must not be an effective tool to spy on users.

If suspicion leads to distrust, the heuristics should not have high false-positive rates.

Non-goals

This feature is not intented to replace PKI, but to supplement it with an additional sanity check.

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

The MVP for this feature is: - whenever we see a trusted certificate, remember its CA; - whenever we see a new certificate for a site, if the new CA is different from the old CA, treat the new certificate as being untrusted.

We can potentially add more complexity in subsequent releases.

Additional heuristics to identify a "suspicious" certificate might include: - this certificate is new, and the old one was nowhere near expiry; - this certificate is new, and the old one was from a different intermeiate CA of this CA.

Additional actions to take if a certificate is suspicious might include: - provide the user with a soft warning; - contact a Perspectives-Convergence-style notary run by Mozilla, to see whether we see the same certificate; - contact a Mozilla-run notary to report a suspected attack.

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

`

Feature details

Team status notes