Skip to content

Latest commit

 

History

History
47 lines (28 loc) · 3.23 KB

README.md

File metadata and controls

47 lines (28 loc) · 3.23 KB

VerifyCT for Firefox

This is an experimental, work in progress extension trying to bring Certificate Transparency support to Firefox.

At the current stage, you should not use this extension unless you are familiar with Certificate Transparency (i.e. you know what an SCT is), and willing to deal with issues and look at the console for output.

Permissions

The extension needs to use getSecurityInfo to get access to the certificates. As the documentation explains, this unfortunately requires webRequest, webRequestBlocking and host permissions for all hosts where we want to monitor certificates (i.e. <all_urls>).

storage and unlimitedStorage are used to store e.g. the CT log list and certificate data.

Supply chain security

The JavaScript/npm ecosystem is known for its sprawling dependency trees and resulting supply chain attacks. I've tried to minimize dependencies and apply some hardening.

What's included

See package.json and package-lock.json for all dependencies.

The well-known PKI.js (from @PeculiarVentures) is basically unavoidable when working with certificates. CTjs (from @YuryStrozhevsky, one of the PKI.js contributors) provides code for handling Certificate Transparency. These are luckily relatively light on dependencies and the dependencies are from the same authors, limiting exposure.

I'm bundling all dependencies into deps.js and also exposing the transitive dependencies there, and checking this file into git. This makes it possible to develop the extension without having to use a build system.

For bundling, rollup.js and its transitive dependencies are used.

Reproducible builds

The build can be run sandboxed in a docker container:

$ sudo docker pull node:alpine
$ sudo docker image ls node --digests
REPOSITORY   TAG       DIGEST                                                                    IMAGE ID       CREATED      SIZE
node         alpine    sha256:181d0e0248e825fa1c056c7ef85e91fbad340caf0814d30b81467daea4637045   52a11a0f9868   4 days ago   148MB
$ sudo docker run -u 1000 -it --rm -w /work -v "$PWD/node":/work node:alpine npm install
$ sudo docker run -u 1000 -it --rm -w /work -v "$PWD/node":/work node:alpine npm run build

I will likely not update the digest above each time I rebuild. However, the build output appeared stable even when I tried with an older node container.

Hardening

I am unable to fully review the dependencies. As an additional precaution, I'm only including the dependencies in a WebWorker running in the background. This worker should not have direct access to the extension APIs. While I'm not 100% confident that this is a solid security boundary, it should limit the risk of exposure at least against untargeted supply chain attacks.

Key provenance

ext/data/loglist_signing_key.rsa.pub is https://www.gstatic.com/ct/log_list/v3/log_list_pubkey.pem converted to binary (DER) format: openssl rsa -pubin -inform pem -outform der