Opened 7 years ago
Last modified 2 years ago
#8957 needs_review enhancement
The SSL Observatory client should listen for and submit invalid certs
Reported by: | pde | Owned by: | pde |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | HTTPS Everywhere/EFF-HTTPS Everywhere | Version: | |
Severity: | Normal | Keywords: | |
Cc: | dtauerbach | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
There's an API for doing so here:
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIBadCertListener2.idl
Child Tickets
Change History (3)
comment:1 Changed 7 years ago by
comment:2 Changed 6 years ago by
Status: | new → needs_review |
---|
A draft implementation is in this branch. Dan, when you get a chance do you want to see if this looks ok and decide what you'd like to do to flag invalidity in these submissions?
comment:3 Changed 2 years ago by
Severity: | → Normal |
---|
Set all open tickets without a severity to "Normal"
Note: See
TracTickets for help on using
tickets.
<keeler> I should mention we're trying to deprecate nsIBadCertListener2 - you should be able to do what it does by opening a connection and receiving events on its channel
<keeler> I've done a similar thing in test_ocsp_stapling.js in https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=700693&attachment=747679
<pde> keeler: by "opening a connection" to you mean making a ghost https request for every https domain the browser connects to?
<pde> s/to/do
<pde> ?
<keeler> oh, no - that would be a bit of a bummer. I just meant for an individual request
<keeler> I guess nsIBadCertListener2 is the only way to do it wholesale
<pde> keeler: is there a bug we can watch for the future of nsIBadCertListener2?
<keeler> pde: hmmm - maybe I was wrong about that. We removed some unnecessary implementations of it in bug 750421, but I don't think there's a bug on removing the interface entirely yet
<firebot> Bug https://bugzilla.mozilla.org/show_bug.cgi?id=750421 enh, --, mozilla22, bsmith, RESO FIXED, Remove unnecessary nsIBadCertListener2 and nsISSLErrorListener implementations
<bsmith> keeler pde: which interface?
<keeler> nsIBadCertListener2
<bsmith> keeler pde: it is possible to get the effect of nsIBadCertListener2 using other callbacks.
<keeler> bsmith: for all connections?
<bsmith> keeler: I think you can use nsIWebProgressListener and similar, in all contexts that oyu can use nsIBadCertListener2
<keeler> oh yeah