Viewing a single comment thread. View all comments

celebratedrecluse wrote (edited )

the certificate expiring (a completely predictable problem, obviously) is only fixed through a "voluntary" program which undermines the verifiability of the browser's integrity.

Totally not suspicious at all!

edit: does this fix require enabling the studies program?

0

bea wrote (edited )

yeah because of this comment I unpacked the addon and examined the code myself. The only thing it's doing is adding a bundled base64 encoded cert and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )

however you'd know all this by reading the thread I linked, here's the relevant comment: https://news.ycombinator.com/item?id=19827415

2

celebratedrecluse wrote

You're right, I did not look at this carefully, and my confirmation bias led me to an erroneous conclusion. should be safe to install, i concur

3