Hack 19. Grant Trust with Master Certificates

Control secure uses of Firefox completely with an overriding master certificate.

Web site content can request trusted access to Firefox by presenting content that is digitally signed [Hack #18] . Trusted access lets the content break out of the web page sandbox. The user must manually confirm that they trust the signed content presented before this can happen. This hack explains how to avoid that manual confirmation.

2.10.1. Master Certificate Concepts

Firefox supports the use of a master certificate . Such a certificate is different than the master password that can be set in the Options dialog box in the following ways:

Master password: Stored in the Firefox user profile area: one piece of data per user profile. Provides an overall security check per profile and privacy for each user.
Master certificate: Stored in the Firefox install area: one JAR file only. Provides an overall security check for one or more remote websites and secure access to the browser for those web sites.

In other words, a master password keeps other users out; a master certificate lets web sites in. Since all this information is stored on the same computer as Firefox, both are subject to change from anyone who can log in to the computer.

A typical use of a master certificate is for a vendor, distributor, or deployer to bundle it with a Mozilla-based product. This gives a distributor a back door through which they can control the browser's security status. This back door can be exploited for different reasons, depending on the web environment:

In a conservative environment: It allows the distributor to create a community of trusted web sites that all have secure access to the user's browser. Such a community can aggregate value-added services in the user's browser.
In a liberal environment: It allows a distributor to insist that security restrictions must be dropped by those that read either the vendor's web site or the vendor's friends' web sites. Such an environment ensures that no user can hold back from engaging with the rest of the community.

Master certificates are, therefore, a management tool similar to Firefox's Update Manager, with the following differences:

The Update Manager requires both dialog boxes and user interaction. Master certificates work automatically.
The Update Manager provides search, version, download, and install tools. Master certificates must be deployed by hand.
The master certificate uses fine-grained security. Update Manager is all-or-nothing.
Scripts trusted via the master-certificate system must still request the secure access they need. Scripts in updated extensions and patches are automatically secure.

In both cases, the user must download a URL before any security checks happen. You can arrange matters so that such checks are automatic. For example, you can set the home page to a URL that points to suitably signed content.

2.10.2. Deploying Master Certificates

A master certificate is deployed as a signature on a JAR file. No other contents are required in the JAR, so it can contain either nothing (an empty directory) or some dummy content. Just store the certificate [Hack #17] and sign the nonexistent content normally [Hack #18] . The JAR file must be named systemSignature.jar (the filename is case-sensitive).

Do not keep the master certificate inside any of Firefox's user profiles. That can become very confusing at runtime. Maintain separate copies of the three .db files signtool requires, and keep them in a secure place. At worst, maintain a separate, dedicated Firefox install or a separate Firefox user profile. Use that separate configuration for nothing other than maintaining the master certificate.

Next, place the JAR file in the Firefox install area. It should go in the same directory as firefox.exe (Windows), firefox-bin (Linux/Unix), or in the Essential Files directory on Mac OS X. Restart Firefox.

To test whether the certificate is working, sign a piece of content with the master certificate. The content should also use the netscape.security.PrivilegeManager.enablePrivilege( ) method [Hack #18] . Put the resulting JAR file behind a URL. Download it and confirm that the privileges are automatically granted.

Master certificates can also be wrapped up inside an Extension and deployed that way.

2.10.3. Delegating Trust to Others

The trust that the master certificate provides can be passed on (inherited, adopted, or added) to other certificates. This means that content signed with those other certificates can gain full access to the browser. To do this, content signed by the master certificate must tell the browser who else should be trusted, using a special web page JavaScript script.

The netscape.security.PrivilegeManager API includes two methods that are available only to scripts signed with the master certificate. These JavaScript methods spread trust to other certificates. They look like this:

netscape.security.PrivilegeManager.setCanEnablePrivilege(fprint, privs)
netscape.security.PrivilegeManager.invalidate(fprint)

fprint is the SHA1 fingerprint of the other certificate that is to be trustednormally, a web site certificate. That other certificate may or may not be installed in the Firefox certificate database. Any certificate can be specified, though. privs is a set of space-separated capability privileges [Hack #20] . MD5 fingerprints are not supported.

To find out the fingerprint of a certificate, either view its details in the Firefox Certificate Manager, if it happens to be recorded there, or run these commands, downloaded as part of the Mozilla NSS package:

signtool -L -d "."
            # list all known certificates
certutil -L -d "." -n"name"
   # display details for cert. "name"

Scripts delegating trust can also be wrapped up inside an Extension and deployed that way.

2.10.4. Alternatives to Master Certificates

You don't have to use a master certificate. There are several alternatives:

Provide a page of links to all content to be trusted and ask users to spend Friday afternoon clicking on all of them. Get them to save their choices so that they are never asked again.
Follow the preceding approach for a single user. When finished, copy the user's updated certificate database to all other Firefox users' profiles.
Extensions can do anything, and security arrangements are stored in the Firefox preferences file. You can build a custom security system as an Extension that sets up whatever security arrangements are required for normally secure web pages.