Where is the code of F-PKI browser extension

[zL1nX]

Hello, I have read your paper recently (excellent work by the way). I notice that there is a F-PKI browser extension based on Mozilla WebExtension API to help clients verify the certificates with customized policies. But it seems that this repo does not contain that extension. Neither does the Firefox Add-on Market. Where can I find this browser extension? Thanks!

Actually, what I really want to ask about is that the current version of Mozilla WebExtension API does not allow developers to read or parse out the signature, public key, and extension field from the X509 certificates. That is, the javascript object returned from webRequest.CertificateInfo simply does not have these fields. It is indeed reasonable for vendors to restrict users from probing these sensitive information in TLS connections. So I'd like to know how does F-PKI manage to let clients conduct the customized certificate verification in a browser environment? Thank you!

[perrig]

Hi XiaoLin

Thank you for your interest!

Cyrill (cc'ed) wrote the plugin, he can send you a pointer to it.

With all the best wishes Adrian

On Tue, Apr 2, 2024 at 5:40 AM XiaoLin @.***> wrote:

Hello, I have read your paper recently (excellent work by the way). I notice that there is a F-PKI browser extension based on Mozilla WebExtension API to help clients verify the certificates with customized policies. But it seems that this repo does not contain that extension. Neither does the Firefox Add-on Market. Where can I find this browser extension? Thanks!

Actually, what I really want to ask about is that the current version of Mozilla WebExtension API does not allow developers to read or parse out the signature, public key, and extension field from the X509 certificates. That is, the javascript object returned from webRequest.CertificateInfo https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/CertificateInfo simply does not have these fields. It is indeed reasonable for vendors to restrict users from probing these sensitive information in TLS connections. So I'd like to know how does F-PKI manage to let clients conduct the customized certificate verification in a browser environment? Thank you!

— Reply to this email directly, view it on GitHub https://github.com/netsec-ethz/fpki/issues/60, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6SLGLXZWQKDBMA5H2T733Y3ISBNAVCNFSM6AAAAABFSTAXASVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTSNBZGI3DIMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[zL1nX]

Thank you very much for your direct reply, Prof. Perrig!

[cyrill-k]

Hi XiaoLin,

We solve this issue by requesting the complete DER-encoded certificate and parse the certificate in the browser extension (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/CertificateInfo#rawder).

The current (alpha) version of the plugin is here: https://github.com/cyrill-k/fpki-firefox-extension/releases/tag/v0.1.0-alpha Note that the plugin is not yet completely stable (and does not cover the complete certificate landscape yet) but it shows the main functionality of the plugin.

[zL1nX]

Thank you Cyrill! It is a very complete and complex project. I have learned a lot from your code. Appreciate the contributions of F-PKI to the community.