|
|
[[!tag archived]]
|
|
|
|
|
|
**Corresponding ticket**: [[!tails_ticket 5766]].
|
|
|
|
|
|
Tails should ship a (non-default) web browser profile that would not
|
|
|
trust the CA cartel, but instead use some alternative, more agile and
|
|
|
stronger trust system.
|
|
|
|
|
|
[[!toc levels=2]]
|
|
|
|
|
|
Candidates
|
|
|
==========
|
|
|
|
|
|
* Monkeysphere: [[!tails_ticket 5763]]
|
|
|
* Convergence: [[!tails_ticket 6102]]
|
|
|
* TACK
|
|
|
* EFF's sovereign keys
|
|
|
* Google's proposal
|
|
|
|
|
|
Criteria
|
|
|
========
|
|
|
|
|
|
* beware of the browser fingerprint
|
|
|
|
|
|
Implementation
|
|
|
==============
|
|
|
|
|
|
Iceweasel profile
|
|
|
-----------------
|
|
|
|
|
|
We should now provide a second iceweasel profile with all root CAs
|
|
|
disabled.
|
|
|
|
|
|
One way to do it would be to `dpkg-divert libnssckbi.so` by default,
|
|
|
extract all the CAs from the original `libnssckbi.so` and stuff them
|
|
|
into the "normal X.509 usage" profile's DB.
|
|
|
|
|
|
See also the `mozilla/security/nss/lib/ckfw/builtins/README` file in
|
|
|
the `nss` package source tree ([read
|
|
|
online](https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README))
|
|
|
to learn how to build a `libnssckbi.so` with a custom list of
|
|
|
builtin CAs.
|
|
|
|
|
|
According to [a blog
|
|
|
post](http://blog.rupamsunyata.org/2008/06/30/consolation-prize.xhtml),
|
|
|
`certutil` may be an adequate tool for the task:
|
|
|
|
|
|
apt install libnss3-tools
|
|
|
certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem
|
|
|
|
|
|
What does not work is to disable this module for the no-CAs profile
|
|
|
using:
|
|
|
|
|
|
modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"
|
|
|
|
|
|
The Freepto folks are working on wrappers around `certutil`:
|
|
|
|
|
|
* <http://lists.autistici.org/message/20141013.235706.2496a2bc.en.html>
|
|
|
* <https://github.com/boyska/freepto-lb/blob/r-berenjena/config/hooks/certificates.chroot>
|
|
|
* <https://github.com/boyska/freepto-lb/blob/r-berenjena/config/includes.chroot/usr/local/bin/add-cert-to-firefox>
|
|
|
|
|
|
It's also possible to use the [cert_override.txt
|
|
|
mechanism](https://developer.mozilla.org/en-US/docs/Cert_override.txt)
|
|
|
to add certificate exceptions.
|
|
|
|
|
|
Adding a CA can [be done with an
|
|
|
add-on](https://github.com/moba/cacert-firefox-addon).
|
|
|
Presumably removing or distrusting one can too. |