WebExtensions Support about cipherfox HOT 14 OPEN

@DaAwesomeP @herczegzsolt @evilpie

I've un-archived this repository in order to investigate developing a WebExtensions version of CipherFox - unless somebody has already developed a suitable alternative?

Notes:

• https://stackoverflow.com/questions/2402121/within-a-web-browser-is-it-possible-for-javascript-to-obtain-information-about

from cipherfox.

I think this should now be possible to implement in Firefox Nightly, because bug 1322748 just landed.

from cipherfox.

I suppose I meant feature-complete compared to what I myself would likely implement here.

Seems better to extend and support IndicateTLS than completely re-write CipherFox at this point.

from cipherfox.

@DaAwesomeP @herczegzsolt @evilpie

I've un-archived this repository in order to investigate developing a WebExtensions version of CipherFox - unless somebody has already developed a suitable alternative?

There is this other extension now:

• https://addons.mozilla.org/it/firefox/addon/certainly-something/
• https://github.com/april/certainly-something

from cipherfox.

Actually, after having now seen IndicateTLS, I'm really cooling on the idea of porting CipherFox at all ... that seems pretty feature-complete to me.

from cipherfox.

I have not looked into what WebExtensions expose that we could use to make CipherFox work. That said, I no longer use Firefox (except for updating this extension, occasionally), so it's not a high priority for me. In the likely event that I never get around to this, Pull Requests for this feature are absolutely welcome.

from cipherfox.

As far as I know, it's not possible to implement Cipherfox via WebExtensions currently, because there's no WebExtensions API to access certificate information. Here's a related bugzilla feature request:
https://bug623317.bugzilla.mozilla.org/show_bug.cgi?id=1322748

Addons not rewritten for WebExtensions will stop working at Firefox 57, November 14th. I'll try to track and update this issue.

from cipherfox.

There seems to be some progress at the Mozilla bug thread, but it's slow: https://bug623317.bugzilla.mozilla.org/show_bug.cgi?id=1322748

from cipherfox.

It might be possible to analyze the SSL separately from Firefox on-click with a native JavaScript library like Forge. A relatively safe request to /favicon.ico would do the trick. It shouldn't be too slow or cause a performance hit if it's activated per-use and only analyzing one request. I will consider developing this myself, but it would be very different from how this addon currently functions—I would probably do it separate from this repo. Unfortunately, this wouldn't be my first WebExtension hack-replacement addon.

from cipherfox.

@DaAwesomeP i'm concerned about this workaround causing false sense of security to the user.

• In case the server handshakes with Firefox using a weaker algo cert than with the addon, user may be falsely identify the site as secure
• In case of a MITIM attack, it's easy to isolate and pass-through the request of such an addon, causing the user to falsely identify the site as secure

Because it's hard to assess these risks even for an experienced user, I'd not recommend such an addon. I think such an addon needs at least the hash of the actual cert in use from firefox, so that it can verify that the request it creates use the same cert as the browser.

from cipherfox.

@gavinhungry I've not found any suitable alternatives within firefox or chrome, I use the openssl cli when I have to. I would love to see this extension again.

I don't have the bandwidth at the moment to work on implementing this, but I'm more than happy to test and debug it if that helps.

from cipherfox.

That's not really an alternative, but might be helpful in rewriting CF.

https://github.com/april/certainly-something

From its ReadMe:

Note: Certainly Something has been integrated into Firefox 72, and is no longer necessary for viewing certificates.

Uses the new TLS Info API in Firefox to view information about the current state of your HTTPS connection.

from cipherfox.

This might be a bit closer:
https://addons.mozilla.org/en-US/firefox/addon/indicatetls/
↓
https://github.com/jannispinter/indicatetls

Addon for Mozilla Firefox that displays the TLS protocol version of websites you visit. This extension makes use of the new SecurityInfo API in Mozilla Firefox to display some information about the TLS connection.

from cipherfox.

IndicateTLS … seems pretty feature-complete to me.

It hasn't been updated in 2 years & there're a bunch of open issues, so @ least some of its (non-troll 😉) users disagree w/ you re: that. Maybe develop there?

from cipherfox.