cipherfox icon indicating copy to clipboard operation
cipherfox copied to clipboard

Published 20 hours ago verified publisher icon gavinhungry

WebExtensions Support

Open DaAwesomeP opened this issue 8 years ago • 14 comments

This is a very useful extension, so I would hate to see its demise in later Firefox versions. Is it possible to re-implement the extension with the WebExtension API? It won't be able to reside in the convenient place where it does not (in the SSL dropdown in the URL bar), but at least it will be able to provide the detailed SSL info somewhere.

DaAwesomeP avatar Mar 08 '17 01:03 DaAwesomeP

I have not looked into what WebExtensions expose that we could use to make CipherFox work. That said, ~~I no longer use Firefox (except for updating this extension, occasionally), so~~ it's not a high priority for me. In the likely event that I never get around to this, Pull Requests for this feature are absolutely welcome.

gavinhungry avatar Mar 08 '17 01:03 gavinhungry

As far as I know, it's not possible to implement Cipherfox via WebExtensions currently, because there's no WebExtensions API to access certificate information. Here's a related bugzilla feature request: https://bug623317.bugzilla.mozilla.org/show_bug.cgi?id=1322748

Addons not rewritten for WebExtensions will stop working at Firefox 57, November 14th. I'll try to track and update this issue.

herczegzsolt avatar Apr 16 '17 09:04 herczegzsolt

There seems to be some progress at the Mozilla bug thread, but it's slow: https://bug623317.bugzilla.mozilla.org/show_bug.cgi?id=1322748

DaAwesomeP avatar Oct 14 '17 02:10 DaAwesomeP

It might be possible to analyze the SSL separately from Firefox on-click with a native JavaScript library like Forge. A relatively safe request to /favicon.ico would do the trick. It shouldn't be too slow or cause a performance hit if it's activated per-use and only analyzing one request. I will consider developing this myself, but it would be very different from how this addon currently functions—I would probably do it separate from this repo. Unfortunately, this wouldn't be my first WebExtension hack-replacement addon.

DaAwesomeP avatar Oct 14 '17 02:10 DaAwesomeP

@DaAwesomeP i'm concerned about this workaround causing false sense of security to the user.

  • In case the server handshakes with Firefox using a weaker algo cert than with the addon, user may be falsely identify the site as secure
  • In case of a MITIM attack, it's easy to isolate and pass-through the request of such an addon, causing the user to falsely identify the site as secure

Because it's hard to assess these risks even for an experienced user, I'd not recommend such an addon. I think such an addon needs at least the hash of the actual cert in use from firefox, so that it can verify that the request it creates use the same cert as the browser.

herczegzsolt avatar Oct 15 '17 10:10 herczegzsolt

I think this should now be possible to implement in Firefox Nightly, because bug 1322748 just landed.

evilpie avatar May 25 '18 15:05 evilpie

@DaAwesomeP @herczegzsolt @evilpie

I've un-archived this repository in order to investigate developing a WebExtensions version of CipherFox - unless somebody has already developed a suitable alternative?

Notes:

  • https://stackoverflow.com/questions/2402121/within-a-web-browser-is-it-possible-for-javascript-to-obtain-information-about

gavinhungry avatar Apr 19 '22 03:04 gavinhungry

@gavinhungry I've not found any suitable alternatives within firefox or chrome, I use the openssl cli when I have to. I would love to see this extension again.

I don't have the bandwidth at the moment to work on implementing this, but I'm more than happy to test and debug it if that helps.

herczegzsolt avatar Apr 20 '22 12:04 herczegzsolt

@DaAwesomeP @herczegzsolt @evilpie

I've un-archived this repository in order to investigate developing a WebExtensions version of CipherFox - unless somebody has already developed a suitable alternative?

There is this other extension now:

  • https://addons.mozilla.org/it/firefox/addon/certainly-something/
  • https://github.com/april/certainly-something

FabioPedretti avatar Apr 20 '22 14:04 FabioPedretti

That's not really an alternative, but might be helpful in rewriting CF.

https://github.com/april/certainly-something

From its ReadMe:

Note: Certainly Something has been integrated into Firefox 72, and is no longer necessary for viewing certificates.

Uses the new TLS Info API in Firefox to view information about the current state of your HTTPS connection.

TPS avatar Apr 21 '22 10:04 TPS

This might be a bit closer: https://addons.mozilla.org/en-US/firefox/addon/indicatetls/ ↓ https://github.com/jannispinter/indicatetls

Addon for Mozilla Firefox that displays the TLS protocol version of websites you visit. This extension makes use of the new SecurityInfo API in Mozilla Firefox to display some information about the TLS connection.

TPS avatar Apr 23 '22 16:04 TPS

Actually, after having now seen IndicateTLS, I'm really cooling on the idea of porting CipherFox at all ... that seems pretty feature-complete to me.

gavinhungry avatar Apr 29 '22 05:04 gavinhungry

IndicateTLS … seems pretty feature-complete to me.

It hasn't been updated in 2 years & there're a bunch of open issues, so @ least some of its (non-troll 😉) users disagree w/ you re: that. Maybe develop there?

TPS avatar Apr 29 '22 11:04 TPS

I suppose I meant feature-complete compared to what I myself would likely implement here.

Seems better to extend and support IndicateTLS than completely re-write CipherFox at this point.

gavinhungry avatar Apr 29 '22 19:04 gavinhungry