Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
B
blueprints
  • Project overview
    • Project overview
    • Details
    • Activity
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
Collapse sidebar
  • tails
  • blueprints
  • Wiki
  • web_browser_profile_with_no_CA

Last edited by intrigeri Jan 12, 2021
Page history

web_browser_profile_with_no_CA

Corresponding ticket: tails#5766 (closed).

Tails should ship a (non-default) web browser profile that would not trust the CA cartel, but instead use some alternative, more agile and stronger trust system.

  • Candidates
  • Criteria
  • Implementation
    • Iceweasel profile

Candidates

  • Monkeysphere: tails#5763 (closed)
  • Convergence: tails#6102 (closed)
  • TACK
  • EFF's sovereign keys
  • Google's proposal

Criteria

  • beware of the browser fingerprint

Implementation

Iceweasel profile

We should now provide a second iceweasel profile with all root CAs disabled.

One way to do it would be to dpkg-divert libnssckbi.so by default, extract all the CAs from the original libnssckbi.so and stuff them into the "normal X.509 usage" profile's DB.

See also the mozilla/security/nss/lib/ckfw/builtins/README file in the nss package source tree (read online) to learn how to build a libnssckbi.so with a custom list of builtin CAs.

According to a blog post, certutil may be an adequate tool for the task:

    apt install libnss3-tools
    certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem

What does not work is to disable this module for the no-CAs profile using:

modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"

The Freepto folks are working on wrappers around certutil:

  • http://lists.autistici.org/message/20141013.235706.2496a2bc.en.html
  • https://github.com/boyska/freepto-lb/blob/r-berenjena/config/hooks/certificates.chroot
  • https://github.com/boyska/freepto-lb/blob/r-berenjena/config/includes.chroot/usr/local/bin/add-cert-to-firefox

It's also possible to use the cert_override.txt mechanism to add certificate exceptions.

Adding a CA can be done with an add-on. Presumably removing or distrusting one can too.

Clone repository
  • Home
  • Monthly reports
  • Sandbox