On 2009-05-04 12:27, Andrews, Rick wrote:
A customer asked this question, and I couldn't answer it.
Let's say I'm a hacker with access to a public kiosk, and I want users
of that kiosk to see the EV green toolbar when they use the kiosk to
visit my hacked web site. My web site is configured with an SSL cert
signed by my own root.
I access the mozilla source code and use it to build my own version of
Firefox. In that version, I add my root with the EV metadata. I suppose
I'll also need to set up an OCSP responder to respond to Firefox's OCSP
requests for my SSL cert, or just disable that check in my custom
Firefox. I then install that version of Firefox on the kiosk. Now anyone
using the kiosk to visit my web site will see the green toolbar.
Are there any safeguards in place to prevent this hack from succeeding?
A very similar hack has already been done. It's a Firefox extension
that (IIRC) silently installs some roots and shows the green bar for
(some of) the certs that chain up to those roots. See it at
https://addons.mozilla.org/en-US/firefox/addon/4828
-Rick Andrews
/Nelson
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
