Hack 19. Grant Trust with Master Certificates
Control secure uses of Firefox completely with an overriding master certificate.
Web site content can request trusted access to Firefox by presenting content that is digitally signed [Hack #18] . Trusted access lets the content break out of the web page sandbox. The user must manually confirm that they trust the signed content presented before this can happen. This hack explains how to avoid that manual confirmation.
2.10.1. Master Certificate Concepts
In other words, a master password keeps other users out; a master certificate lets web sites in. Since all this information is stored on the same computer as Firefox, both are subject to change from anyone who can log in to the computer.
A typical use of a master certificate is for a vendor, distributor, or deployer to bundle it with a Mozilla-based product. This gives a distributor a back door through which they can control the browser's security status. This back door can be exploited for different reasons, depending on the web environment:
Master certificates are, therefore, a management tool similar to Firefox's Update Manager, with the following differences:
In both cases, the user must download a URL before any security checks happen. You can arrange matters so that such checks are automatic. For example, you can set the home page to a URL that points to suitably signed content.
2.10.2. Deploying Master Certificates
A master certificate is deployed as a signature on a JAR file. No other contents are required in the JAR, so it can contain either nothing (an empty directory) or some dummy content. Just store the certificate [Hack #17] and sign the nonexistent content normally [Hack #18] . The JAR file must be named systemSignature.jar (the filename is case-sensitive).
Do not keep the master certificate inside any of Firefox's user profiles. That can become very confusing at runtime. Maintain separate copies of the three .db files signtool requires, and keep them in a secure place. At worst, maintain a separate, dedicated Firefox install or a separate Firefox user profile. Use that separate configuration for nothing other than maintaining the master certificate.
Next, place the JAR file in the Firefox install area. It should go in the same directory as firefox.exe (Windows), firefox-bin (Linux/Unix), or in the Essential Files directory on Mac OS X. Restart Firefox.
To test whether the certificate is working, sign a piece of content with the master certificate. The content should also use the netscape.security.PrivilegeManager.enablePrivilege( ) method [Hack #18] . Put the resulting JAR file behind a URL. Download it and confirm that the privileges are automatically granted.
Master certificates can also be wrapped up inside an Extension and deployed that way.
2.10.3. Delegating Trust to Others
netscape.security.PrivilegeManager.setCanEnablePrivilege(fprint, privs) netscape.security.PrivilegeManager.invalidate(fprint)
fprint is the SHA1 fingerprint of the other certificate that is to be trustednormally, a web site certificate. That other certificate may or may not be installed in the Firefox certificate database. Any certificate can be specified, though. privs is a set of space-separated capability privileges [Hack #20] . MD5 fingerprints are not supported.
To find out the fingerprint of a certificate, either view its details in the Firefox Certificate Manager, if it happens to be recorded there, or run these commands, downloaded as part of the Mozilla NSS package:
signtool -L -d "." # list all known certificates certutil -L -d "." -n"name" # display details for cert. "name"
Scripts delegating trust can also be wrapped up inside an Extension and deployed that way.
2.10.4. Alternatives to Master Certificates