search

moxie0 / Convergence

An agile, distributed, and secure alternative to the Certificate Authority system.
http://convergence.io
621 stars 108 forks source link

Convergence 0.04 broke Firefox autoupdate #69

Closed ghost closed 13 years ago

ghost commented 13 years ago

If convergence was enabled, Firefox 6.0.1 will report this version as the last one. If you disable convergence, Firefox will upgrade to 6.0.2.

ewanm89 commented 13 years ago

I need to look into it further, but I think Mozilla have pinned one of their certificates into firefox (in later releases) for the auto update. As a such the convergence local CA signed cert doesn't match and it throws the someone is trying to "trick you into accepting an insecure update" error.

I suppose we could just pass through the encrypted data for the auto update domains in this case.

moxie0 commented 13 years ago

@ewanm89 If you can confirm that's true, then I agree that's a totally reasonable fix.

ewanm89 commented 13 years ago

Yes, it's in about:config under app.update keys. Specifically, app.update.cert.requireBuiltIn set to true, and app.update.certs having a list of valid certs it checks against. We should moan at Mozilla for not having full fingerprint in there, unless they are actually storing it in NSS somewhere.

ewanm89 commented 13 years ago

Now, mine has it registered to use aus3.mozilla.org for the update server, you all got the same (app.update.url)?

Lcstyle commented 13 years ago

Can this be closed now?

moxie0 commented 13 years ago

Yeah, this is fixed in 8e5af24ae9ae4b25caf31469e557f9ccca0951fb

ewanm89 commented 13 years ago

was that pushed out the convergence 0.05?