bea wrote (edited )
Reply to comment by celebratedrecluse in Why Tor-Browser is currently not safe to use and what to do about it (applies to all other Firefox derivatives too) by boom
yeah because of this comment I unpacked the addon and examined the code myself. The only thing it's doing is adding a bundled base64 encoded cert and forcing a re-verification:
async doTheThing() {
// first inject the new cert
try {
let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
certDB.addCertFromBase64(intermediate, ",,");
console.log("new intermediate certificate added");
} catch (e) {
console.error("failed to add new intermediate certificate:", e);
}
// Second, force a re-verify of signatures
try {
XPIDatabase.verifySignatures();
console.log("signatures re-verified");
} catch (e) {
console.error("failed to re-verify signatures:", e);
}
}
and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )
however you'd know all this by reading the thread I linked, here's the relevant comment: https://news.ycombinator.com/item?id=19827415
celebratedrecluse wrote
You're right, I did not look at this carefully, and my confirmation bias led me to an erroneous conclusion. should be safe to install, i concur
Viewing a single comment thread. View all comments