Security/Features/Strange SSL Cert Change Alert

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.


Certificate Suspicion
Stage Draft
Status `
Release target `
Health OK
Status note `


Product manager Sid Stamm
Directly Responsible Individual `
Lead engineer `
Security lead Curtis Koenig
Privacy lead Sid Stamm
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Tom Lowenthal

Open issues/risks

Any notary-based component has the potential to be a privacy threat to users.

Stage 1: Definition

1. Feature overview

Under current SSL PKI, any CA can issue a certificate for any service, making any CA a potential point of total failure. At least several CA's, including Comodo and DigiNotar have been successfully attacked, and have issued cryptographicall valid but incorrect certificates for a number of sites, including *.*.com and *.*.org. So: current PKI may validate certificates that are not actually correct.

When users trust SSL, they may put financial or sensitive personal information on the line. If the certificate they trust is part of a MITM attack by a criminal gang, a user's money may be stolen. If the certificate they trust is part of a MITM by an oppressive government, they may be tortured to death.

Some of the time, these incorrect certificates would be obviously suspicious to manual inspection, even though they satisfy the automated PKI requirements. For instance, if a popular US-based mail service appears to have renewed its two-month-old SSL certificate at a small Dutch CA, something may be amiss.

Firefox should heuristically attempt to identify some of these cases, and should warn the user or perform additional checks if there is reason to be suspicious of a certificate.

2. Users & use cases

All users benefit whenever they trust an SSL connection.

The following are examples of situations which might prompt suspicion: - a site's certificate changes from one CA to another; - a site's certificate changes when it is not near expiry; or - a site's certificate changes from EV to DV.

The following are examples of actions Firefox might take if a certificate is suspicious: - treat the certificate as untrusted; - contact a Mozilla-run notary to ask about the certificate; or - contact a Mozilla-run notary to warn about a suspected attack.

3. Dependencies


4. Requirements

Any combination of suspicion and notary must not be an effective tool to spy on users.

If suspicion leads to distrust, the heuristics should not have high false-positive rates.


This feature is not intented to replace PKI, but to supplement it with an additional sanity check.

Stage 2: Design

5. Functional specification


6. User experience design


Stage 3: Planning

7. Implementation plan

The MVP for this feature is: - whenever we see a trusted certificate, remember its CA; - whenever we see a new certificate for a site, if the new CA is different from the old CA, treat the new certificate as being untrusted.

We can potentially add more complexity in subsequent releases.

Additional heuristics to identify a "suspicious" certificate might include: - this certificate is new, and the old one was nowhere near expiry; - this certificate is new, and the old one was from a different intermeiate CA of this CA.

Additional actions to take if a certificate is suspicious might include: - provide the user with a soft warning; - contact a Perspectives-Convergence-style notary run by Mozilla, to see whether we see the same certificate; - contact a Mozilla-run notary to report a suspected attack.

8. Reviews

Security review


Privacy review


Localization review




Quality Assurance review


Operations review


Stage 4: Development

9. Implementation


Stage 5: Release

10. Landing criteria


Feature details

Priority Unprioritized
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap User Support
Feature list `
Project `
Engineering team `

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `