Request: switching to windows' certificates store ?
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Request: switching to windows' certificates store ?
Hi all,
I know that my question could be strange or a newbie-like question
As palemoon is Windows-dedicated port of Mozilla Firefox, is it a way in palemoon to change the way of storing/accessing to X509 Certificates and to do as Windows' Internet Explorer do with certificates ?
I explain:
In one hand:
As you know, Mozilla Firefox use its own "Certificates Store" to store all kind of X 509 certificates (aka Root Authorities Certificates, Personal Certificate, Intermediates CA, etc...). it's probably for OS interoperability/compatibility (or licensing) reasons.
In the other hand:
When you run on Windows Operating Systems (all NT-based versions from NT4 to W2000, XP, W2003, W7, W2008 and +), Windows have got its own integrated "Certificate Store" to store same Certificates, for a User or a Machine (inside two distincts stores - one for the current user - saved in the user's profile- and the other in the system/localmachine account profile ).
So Certificates stored in the(se) windows' store(s) are available to any kind of windows applications (but no in Firefox/palemoon).
In many companies, internal IT teams need to add/deploy some new or special certificates to Windows' certificates Store, for an internal use or specific applications. These certificates can be managed by Group Policy -GPO in the Active Directory domain - in a centralized manner.
But these 2 types of certificate stores (Firefox' and Windows' ones) are COMPLETELY isolated. Firefox cannot read/use a certificate located in the windows' certificate store and vice versa.
And it is hard to deploy silently/automaticly certificates in the firefox' Certificate store (no GPO possible here).
As Palemoon is only for windows OS, there is no more interoperability constraint.
SO is it a way to ADD to palemoon a way (aka an internal feature, an addon or a plugin/extension,etc...) to give access -into Palemoon while surfing on https- to the windows's certificate store instead firefox-like certificate store (like Internet Explorer do when it needs use of certificate) ?
This access could be permanent or temporary, no matters.
In my opinion, it will be a very usefull feature that lacks in firefox (and that CAN'T be ever added in firefox):
It can be possible to use GPO-deployed certificates or share windows-stored certificates easily within PaleMoon.
I am not a developper (just an IT sysadmin guy who likes Palemoon on windows !), and I don't know it's technical possible or realistic.
What do you think about it ?
Thank in advance.
JB VERNEJOUX
I know that my question could be strange or a newbie-like question
As palemoon is Windows-dedicated port of Mozilla Firefox, is it a way in palemoon to change the way of storing/accessing to X509 Certificates and to do as Windows' Internet Explorer do with certificates ?
I explain:
In one hand:
As you know, Mozilla Firefox use its own "Certificates Store" to store all kind of X 509 certificates (aka Root Authorities Certificates, Personal Certificate, Intermediates CA, etc...). it's probably for OS interoperability/compatibility (or licensing) reasons.
In the other hand:
When you run on Windows Operating Systems (all NT-based versions from NT4 to W2000, XP, W2003, W7, W2008 and +), Windows have got its own integrated "Certificate Store" to store same Certificates, for a User or a Machine (inside two distincts stores - one for the current user - saved in the user's profile- and the other in the system/localmachine account profile ).
So Certificates stored in the(se) windows' store(s) are available to any kind of windows applications (but no in Firefox/palemoon).
In many companies, internal IT teams need to add/deploy some new or special certificates to Windows' certificates Store, for an internal use or specific applications. These certificates can be managed by Group Policy -GPO in the Active Directory domain - in a centralized manner.
But these 2 types of certificate stores (Firefox' and Windows' ones) are COMPLETELY isolated. Firefox cannot read/use a certificate located in the windows' certificate store and vice versa.
And it is hard to deploy silently/automaticly certificates in the firefox' Certificate store (no GPO possible here).
As Palemoon is only for windows OS, there is no more interoperability constraint.
SO is it a way to ADD to palemoon a way (aka an internal feature, an addon or a plugin/extension,etc...) to give access -into Palemoon while surfing on https- to the windows's certificate store instead firefox-like certificate store (like Internet Explorer do when it needs use of certificate) ?
This access could be permanent or temporary, no matters.
In my opinion, it will be a very usefull feature that lacks in firefox (and that CAN'T be ever added in firefox):
It can be possible to use GPO-deployed certificates or share windows-stored certificates easily within PaleMoon.
I am not a developper (just an IT sysadmin guy who likes Palemoon on windows !), and I don't know it's technical possible or realistic.
What do you think about it ?
Thank in advance.
JB VERNEJOUX
Re: Request: switching to windows' certificates store ?
Some people have already looked into this:
Some preliminary work was done to do this and have the option to use the windows cert store, but the code was never finished and has probably bitrotted severely by now.
So, it's not really that easy because the Windows cert store doesn't have a solid verification base.There are some pretty major security implications to doing something like this. Windows does not have a static list of root certs in the
Root Store. Instead, it dynamically "phones home" to Microsoft to check for root certs when a user tries to use an end-entity cert that
chains up to an unknown root cert. Microsoft also adds new root certs without any meaningful end-user notice. The end result is that there is
no way for you to predict what will be in your trusted list.
...
If you wanted Firefox to behave like IE you would have to trigger the "phone home" upon encountering an unknown root cert.
Some preliminary work was done to do this and have the option to use the windows cert store, but the code was never finished and has probably bitrotted severely by now.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Request: switching to windows' certificates store ?
OK
I see.
Thank for your feedback.
JB
I see.
Thank for your feedback.
JB
Re: Request: switching to windows' certificates store ?
Tried a few online dictionaries but no joy.... Please define/explain "bitrotted" for those of us mere mortals struggling to cope with the deluge of techno-speak in the programmers' vocabulary?[b][color=#0000FF]Moonchild[/color][/b] wrote: ....but the code was never finished and has probably bitrotted severely by now.
Today I have already learned that describing a programmer as "low-level" is not a insult but appears to mean he/she is actually rather good and works on the core code as opposed to the "high-level" programmers who work at the GUI end?
Re: Request: switching to windows' certificates store ?
Wikipedia is your friend:
http://en.wikipedia.org/wiki/Bit_rot
EDIT:
To clarify your other question: low-level coding is coding "close to the hardware", like directly programming chips and/or the CPU or GPU, or writing a device driver.
high-level coding is coding done with more abstract system calls, like, indeed GUI coding where you would instruct the Windows API to "open a window with these parameters", but also cross-platform coding like any Java or Javascript.
These two types of programming are two completely different disciplines with each their own set of required skills and knowledge.
Once again: Wikipedia is your friend: http://en.wikipedia.org/wiki/High-_and_low-level
http://en.wikipedia.org/wiki/Bit_rot
This kind of code rot happens when a component in a source tree isn't actively included and untouched for a while, while the rest of the source code sees active development. To make the component usable again, it has to be reviewed and updated when taken up into active development with the other (by now changed) code again.The term "bit rot" is often used to refer to dormant code rot, i.e. the fact that dormant (unused or little-used) code gradually decays in correctness as a result of interface changes in active code that is called from the dormant code.
EDIT:
To clarify your other question: low-level coding is coding "close to the hardware", like directly programming chips and/or the CPU or GPU, or writing a device driver.
high-level coding is coding done with more abstract system calls, like, indeed GUI coding where you would instruct the Windows API to "open a window with these parameters", but also cross-platform coding like any Java or Javascript.
These two types of programming are two completely different disciplines with each their own set of required skills and knowledge.
Once again: Wikipedia is your friend: http://en.wikipedia.org/wiki/High-_and_low-level
Last edited by Moonchild on 2012-09-21, 23:32, edited 1 time in total.
Reason: Clarification low-level/high-level coder
Reason: Clarification low-level/high-level coder
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Request: switching to windows' certificates store ?
After years of using Firefox with only Google search engine as standard,Moonchild wrote:Wikipedia is your friend:
...
Once again: Wikipedia is your friend: http://en.wikipedia.org/wiki/High-_and_low-level
I was surprised to see that PaleMoon starts with half a dozen engines.
I thought Wikipedia stuck out like a sore thumb amongst them.
With use I have found it very convenient for technical searches to select Wikipedia for a search,
compared with the Firefox default of a Google search and hoping to spot a result pointing to Wikipedia.
Re: Request: switching to windows' certificates store ?
As this is an old thread, I would like to know if there are currently any plans to allow Palemoon to use Windows certificate store like Chrome do. It would give Palemoon an important advantage over Firefox.
Thanks.
Thanks.
Re: Request: switching to windows' certificates store ?
No, there is no reason why we would switch to Windows' certificate store. Having its own certificate store actually gives Pale Moon a security advantage.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Astronaut
- Posts: 654
- Joined: 2014-09-01, 15:11
- Location: Milan Italy
Re: Request: switching to windows' certificates store ?
I see just now by chance this resurrected thread but the assumption in the original post
is plainly wrong. There are Palemoon native Linux users like me !jbvernejoux wrote:As Palemoon is only for windows OS
The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. (G.B. Shaw)
Re: Request: switching to windows' certificates store ?
At the time that original post was written, Pale Moon was only available for Windows. The Linux version came later.Lucio Chiappetti wrote:but the assumption in the original post is plainly wrong.
Nichi nichi kore ko jitsu = Every day is a good day.
Re: Request: switching to windows' certificates store ?
Could I provide one reason why it is interesting that Palemoon is able to read certificates from Windows Store?
In current enterprise environment, for companies like mine, security is based on certificates. These certificates are normally deployed by GPO to Windows store on thousands of PCs. There is no GPO to deploy a certificate on Palemoon/Firefox store. Even if there is any GPO, makes no sense to deploy the certificate to 2 different stores.
If Palemoon were able to read from Windows store, many companies could use this great browser on a daily basis. Off course it should also maintain access to its own current store, specially for Linux compatibility.
Maybe one possible approach is to move the Palemoon/Firefox store to a different layer and let Palemoon access certificates stores existing in the PC (Firefox, Windows or other 3rd party) maybe with an option.
Sorry to disturb you with this request, but I think it is really important.
Thanks.
In current enterprise environment, for companies like mine, security is based on certificates. These certificates are normally deployed by GPO to Windows store on thousands of PCs. There is no GPO to deploy a certificate on Palemoon/Firefox store. Even if there is any GPO, makes no sense to deploy the certificate to 2 different stores.
If Palemoon were able to read from Windows store, many companies could use this great browser on a daily basis. Off course it should also maintain access to its own current store, specially for Linux compatibility.
Maybe one possible approach is to move the Palemoon/Firefox store to a different layer and let Palemoon access certificates stores existing in the PC (Firefox, Windows or other 3rd party) maybe with an option.
Sorry to disturb you with this request, but I think it is really important.
Thanks.
Re: Request: switching to windows' certificates store ?
You cannot use 2 different stores at the same time, due to potential certificate conflicts.
It should be possible to import the desired certificates into our store automatically with e.g. a login script, but that is a challenge the IT/NetAdmins need to tackle.
Enterprise use is not a main target for Pale Moon at this time but if you or other enterprise users want to see the use of the Windows cert store added to Pale Moon, then patches to that effect are certainly welcome. This contribution will have to come from the enterprise side of things since Mozilla also doesn't seem to have an interest in dedicating resources to this kind of client certificate reading.
See also bug #1120350, especially comment 2.
It should be possible to import the desired certificates into our store automatically with e.g. a login script, but that is a challenge the IT/NetAdmins need to tackle.
Enterprise use is not a main target for Pale Moon at this time but if you or other enterprise users want to see the use of the Windows cert store added to Pale Moon, then patches to that effect are certainly welcome. This contribution will have to come from the enterprise side of things since Mozilla also doesn't seem to have an interest in dedicating resources to this kind of client certificate reading.
See also bug #1120350, especially comment 2.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Moon Magic practitioner
- Posts: 2986
- Joined: 2015-09-26, 04:51
- Location: U.S.
Re: Request: switching to windows' certificates store ?
andCores8 wrote:In current enterprise environment, for companies like mine, security is based on certificates. These certificates are normally deployed by GPO to Windows store on thousands of PCs. There is no GPO to deploy a certificate on Palemoon/Firefox store. Even if there is any GPO, makes no sense to deploy the certificate to 2 different stores.
If Palemoon were able to read from Windows store, many companies could use this great browser on a daily basis.
I hope this comment isn't ill informed, but here it is. Wouldn't using Windows' certificate store put efficiency (for Enterprise) in conflict with security (for everyone)? Am thinking here of the Lenovo/Superfish situation.Moonchild wrote:Having its own certificate store actually gives Pale Moon a security advantage.
Re: Request: switching to windows' certificates store ?
Yes and No. As I understand it (not a security expert) some/many enterprises already 'break' SSL security by spoofing certificates - effectively using a man-in-the-middle attack - in their firewall to inspect traffic coming in and out of the organisation (another reason not to use corporate networks for private purposes). You can test for it / read more about it at https://www.grc.com/fingerprints.htmcoffeebreak wrote:I hope this comment isn't ill informed, but here it is. Wouldn't using Windows' certificate store put efficiency (for Enterprise) in conflict with security (for everyone)? Am thinking here of the Lenovo/Superfish situation.
Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything
Hint: If you expect a reply to your PM, allow replies...
-
- Moon Magic practitioner
- Posts: 2986
- Joined: 2015-09-26, 04:51
- Location: U.S.
Re: Request: switching to windows' certificates store ?
Falna, thank you for your response. I should have been more clear -- but was thinking, based on:
Would it be possible to choose between the two stores and have the unchosen one be treated as if it does not exist?
that if the Windows certificate store was imported to PM it would displace use of Pale Moon's certificate store for all users. Or is this a misunderstanding?Moonchild wrote:You cannot use 2 different stores at the same time, due to potential certificate conflicts.
Would it be possible to choose between the two stores and have the unchosen one be treated as if it does not exist?
Re: Request: switching to windows' certificates store ?
Don't get me wrong here. I do not ever want to have the Windows certificate store replace our own. That just has too much of an issue (and the answer to the topic title is therefore no)
What the issue here for enterprise users is, is that client certificates cannot be pulled from the Windows cert store, which is what would be needed.
That could be something to add as an optional feature, in a read-only fashion behind a pref for enterprise users.
So, I think the proper solution here is:
What the issue here for enterprise users is, is that client certificates cannot be pulled from the Windows cert store, which is what would be needed.
That could be something to add as an optional feature, in a read-only fashion behind a pref for enterprise users.
So, I think the proper solution here is:
- Keep using our own store to handle, verify and validate server certificates and CS/root chains.
- Keep using our own store to install new client certificates and verify them.
- Add an option (behind a pref) to additionally read client certificates from the Windows store for use, if no certificate match is found in our own store.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Moon Magic practitioner
- Posts: 2986
- Joined: 2015-09-26, 04:51
- Location: U.S.
Re: Request: switching to windows' certificates store ?
Moonchild, Thank you very much.
Re: Request: switching to windows' certificates store ?
Thanks Moonchild. I think your approach is good.
Re: Request: switching to windows' certificates store ?
coffeebreak wrote:Moonchild, Thank you very much.
Right-o. So, if anyone from the enterprise sector wants to jump in and provide an implementation, e.g. using the designated Windows API to read the Windows certificate store, that would be greatCores8 wrote:Thanks Moonchild. I think your approach is good.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite