Open JamesTheAwesomeDude opened 4 years ago
Disturbingly, webRequest.onBeforeSendHeaders
, which "is triggered before sending any HTTP data", does not provide access to the TLS certificate status... what it's curretly using, webRequest.onHeadersReceived
, is "Fired when the HTTP response headers for a request are received", so it can't protect against the entire outbound request going to the attacker.
TODO: try webRequest.onSendHeaders
? [EDIT: no-can-do—this API “is informational only” i.e. you can't use it to stop a bad request.]
onBeforeSendHeaders also doesn't have access to securityInfo … and the next one in line, onSendHeaders`, “is informational only” —i.e. you can't use it to stop a bad request.
Alas. So, it looks like we can't make a properly-failsafe constrainer with just the APIs given us. The best we can do (for now) is "throwing the breaker" after 1 full bad connection has already been made.
Perhaps, once the rest of the functionality's implemented, Mozilla would hear out our requests for better access.
It's a fair assumption that (root and delegated) CAs will supply bogus certificates to their national intelligence agencies…
– Tom Hawtin, Former engineer in Java SE security for Oracle Corporation
a mitigation, for an attacker who isn't aware of this add-on: hook onBeforeRequest
to do a "preflight check"
Consider an attacker who is aware of this Add-on.
They might:
remember that in The Internet, you have other, aggressive intelligences finding ways your software diverges from what you thought you wrote… everything doesn't go "as planned"; you've got to be airtight or its utility is only marginal