browsh icon indicating copy to clipboard operation
browsh copied to clipboard

Published 20 hours ago verified publisher icon browsh-org

Certificate warning does not work

Open luizluca opened this issue 6 years ago • 11 comments

When a SSL certificate is not trusted, browsh does not allow me to accept and continue, as firefox does. I need to open gui and do it using X

luizluca avatar Jul 12 '18 22:07 luizluca

Yeah this is big drawback of my current approach with Browsh. The technical reason is that Webextensions don't allow injection of JS into non-web pages.

This is related to #106

tombh avatar Jul 13 '18 09:07 tombh

@tombh Maybe compiling a version of firefox without certificate warnings and the like would be a solution. One layer of security would be missing though.

We would need to maintain a patch set for firefox.

tobimensch avatar Jul 13 '18 14:07 tobimensch

If you disable certificate warning, would it be possible to known afterwards if the page certificate was invalid? You could add a warning 'popup'.

Another approach: If you disable certificate warning, would it be possible to intercept the URL requests before firefox does the SSL checking? browsh could check it by itself (just like firefox would do) and, if needed, show the warnings. If user accepts or cert is good, let firefox access the URL.

luizluca avatar Jul 13 '18 17:07 luizluca

@tobimensch Excellent idea! I never considered that. We shouldn't need to compile, it should be possible through preferences. What's more such an approach could work with some of the other problems we have, like the download manager dialog in #126.

@luizluca For sure! We can use curl or something in the background to do the certificate check for us, then show the result to the user.

tombh avatar Jul 14 '18 14:07 tombh

Isn't that too late? If you disable the warning, firefox will already have made a connection (potentially from an AJAX trying to save sensitive data). Showing the warning to the user afterwards may have already leaked data...

jypma avatar Jul 18 '18 07:07 jypma

@jypma The interfacer written in Go could check for any certificates before the webextension and therefore firefox is used.

tobimensch avatar Jul 18 '18 07:07 tobimensch

Instead of opening a major security liability in all HTTPS use, I think a way to override the user profile settings for trusted invalid certificates seems more reasonable.

From the docs:

Security certificate settings: The cert9.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.

empjustine avatar Jul 18 '18 11:07 empjustine

@empjustine , maybe adding the cert before the first connection and removing it just after the first connection would be enough for the session. Does Firefox check cert validity on every request?

luizluca avatar Jul 18 '18 11:07 luizluca

Hmm, this is all getting a bit tricky now. I need to revisit the possibility of using the Marionette driver to interact with non-web URLs (SSL warnings, about:config, addon config pages, etc). I already use the Marionette driver (it's the protocol that Selenium uses) to automate the installation of the Browsh web extension code. The only reason I haven't made more use of Marionette is that I wanted to just invest in one browser manipulation API in order to keep things simpler. But if Marionette is able to dismiss SSL pages and maybe even accept modal dialogs (eg; when installing addons), then that will certainly justify using 2 separate APIs. The only thing is that Marionette is terribly documented, not something I look forward to digging into. Oh and the other thing to bear in mind is that browsers seem to be gathering on the RDP standard, which would hopefully eventually replace Marionette. So it might not be wise to write too much Marionette code.

tombh avatar Jul 18 '18 14:07 tombh

@tombh Maybe you could an abstract wrapper around marionette, to which you could later add RDP or other implementations. I don't know if this would work, as I know virtually none of the APIs involved.

tobimensch avatar Jul 18 '18 16:07 tobimensch

So does this mean I can't use browsh to access a LAN device with a self-signed certificate? My error looks like this:

WEBEXT: Tab undefined received new focus
WEBEXT: New tab created: [object Object]
FF-MRNT: 303:[1,0,{"error":"session not created","message":"Error: NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)","stacktrace":"#checkLoadingState@chrome://remote/content/shared/Navigate.jsm:209:28\nonStateChange@chrome://remote/content/shared/Navigate.jsm:254:28\n"},null]

This is handled so easily with lynx:

SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n)
SSL error:host(192.168.0.1)!=cert(CN<lighttpd TEST>)-Continue? (n)

To which I just enter y to both and it just works. Why is this so hard to do on browsh which is supposed to be a new, modern and more capable browser? I had high hopes for switching to browsh but it seems it can't even handle a simple user interaction like this.

frakman1 avatar Jul 21 '22 18:07 frakman1