Allow use of macos PM bridge without installing CA cert in OS cert store?

[wyager]

Currently, on startup, the macos protonmail bridge automatically executes /usr/bin/security execute-with-privileges /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -k /Library/Keychains/System.keychain /var/folders/<path to some cert file> (attempting to add a self-signed CA cert to the OS trust store).

This causes a security pop-up to appear with security wants to make changes. Touch ID or enter your password to allow this.

If I reject this, the bridge dies with Bridge application exited before providing a gRPC service configuration file.

The cert file in question has:

...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CH, O=Proton AG, OU=Proton Mail, CN=127.0.0.1
        Validity
            Not Before: Mar 14 16:21:17 2023 GMT
            Not After : Mar  9 16:21:17 2043 GMT
        Subject: C=CH, O=Proton AG, OU=Proton Mail, CN=127.0.0.1
...
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE
...

This seems not ideal, as:

1. There's no prompt or explanation of what's going on. A generic system window pops up saying "security wants to make changes", prompting the user for their password. Not a good thing to train users to blindly go along with.
2. It messes with the OS-level trust settings without informing or getting permission from the user. (They have to enter their password, but they have no idea what for.)
3. It doesn't just add a standard self-signed TLS cert to the system store - it adds a self-signed CA cert. I don't think setting the CN to 127.0.0.1 accomplishes anything from a limiting-scope-of-cert perspective, because CA certs can sign other certs with different common names. I.e. with this cert in the cert store, couldn't anyone with access to the bridge's signing cert issue a fake cert for any domain? Not entirely sure on this one
4. It doesn't seem necessary. Thunderbird, for example, lets you work with self-signed certs without needing to modify the OS-level trust settings.

I can see a few ways to avoid this, e.g.:

1. Rather than automatically trying to modify the cert store on startup, have something in the bridge that says "hey, your mail client might not work without this self-signed cert, so click this button to install"
2. Give users the option to export any required cert(s) so they can add them to app-specific cert stores rather than the system stores. (Not even sure if this is required for thunderbird - I think I might just be able to add a security exception the first time it tries to connect.)
3. Maybe allow non-TLS connections for localhost?

[LBeernaertProton]

Hey @wyager thanks for all the feedback. We are aware of the issue (#361) and we are working on improving this.

[wyager]

Gotcha, thanks. What do you think about the option of not doing anything by default on bridge launch, and (regardless of what solution you decide on) only adding system certs after the user clicks something? I think that would solve the issue for most people who are not using Mail.app

[jorge-ui]

I am currently a victim xD of this issue as I am not able to run the PM Bridge on my machine (MacOS Ventura).

I don't know how it got to this, maybe at some point updating the app idk 🤷‍♂️.

Looking forward for a solution, any workarounds ? an official patch ideally of course.

I'll be resorting to the web version while this gets sorted.

Dev team at Proton, Thank you, I support your privacy-minded products and efforts <3

[Jonna1408]

today 28-04-2023 still an issue. strange that even when i type in my password it still doesnt open. cant accces at all. MAC ventyra 13.2.1.