celebratedrecluse wrote on May 4, 2019 at 8:30 PM (edited on May 4, 2019 at 8:37 PM)

Reply to comment by bea in Why Tor-Browser is currently not safe to use and what to do about it (applies to all other Firefox derivatives too) by boom

the certificate expiring (a completely predictable problem, obviously) is only fixed through a "voluntary" program which undermines the verifiability of the browser's integrity.

Totally not suspicious at all!

edit: does this fix require enabling the studies program?

bea wrote on May 4, 2019 at 8:55 PM (edited on May 4, 2019 at 8:58 PM)

yeah because of this comment I unpacked the addon and examined the code myself. The only thing it's doing is adding a bundled base64 encoded cert and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )

however you'd know all this by reading the thread I linked, here's the relevant comment: https://news.ycombinator.com/item?id=19827415

celebratedrecluse wrote on May 4, 2019 at 11:21 PM

You're right, I did not look at this carefully, and my confirmation bias led me to an erroneous conclusion. should be safe to install, i concur