Request: switching to windows' certificates store ?

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
jbvernejoux

Request: switching to windows' certificates store ?

Unread post by jbvernejoux » 2012-09-17, 21:30

Hi all,

I know that my question could be strange or a newbie-like question :wtf:

As palemoon is Windows-dedicated port of Mozilla Firefox, is it a way in palemoon to change the way of storing/accessing to X509 Certificates and to do as Windows' Internet Explorer do with certificates ?

I explain:
In one hand:
As you know, Mozilla Firefox use its own "Certificates Store" to store all kind of X 509 certificates (aka Root Authorities Certificates, Personal Certificate, Intermediates CA, etc...). it's probably for OS interoperability/compatibility (or licensing) reasons.

In the other hand:
When you run on Windows Operating Systems (all NT-based versions from NT4 to W2000, XP, W2003, W7, W2008 and +), Windows have got its own integrated "Certificate Store" to store same Certificates, for a User or a Machine (inside two distincts stores - one for the current user - saved in the user's profile- and the other in the system/localmachine account profile ).
So Certificates stored in the(se) windows' store(s) are available to any kind of windows applications (but no in Firefox/palemoon).
In many companies, internal IT teams need to add/deploy some new or special certificates to Windows' certificates Store, for an internal use or specific applications. These certificates can be managed by Group Policy -GPO in the Active Directory domain - in a centralized manner.

But these 2 types of certificate stores (Firefox' and Windows' ones) are COMPLETELY isolated. Firefox cannot read/use a certificate located in the windows' certificate store and vice versa.
And it is hard to deploy silently/automaticly certificates in the firefox' Certificate store (no GPO possible here).

As Palemoon is only for windows OS, there is no more interoperability constraint.
SO is it a way to ADD to palemoon a way (aka an internal feature, an addon or a plugin/extension,etc...) to give access -into Palemoon while surfing on https- to the windows's certificate store instead firefox-like certificate store (like Internet Explorer do when it needs use of certificate) ?
This access could be permanent or temporary, no matters.

In my opinion, it will be a very usefull feature that lacks in firefox (and that CAN'T be ever added in firefox):
It can be possible to use GPO-deployed certificates or share windows-stored certificates easily within PaleMoon.

I am not a developper (just an IT sysadmin guy who likes Palemoon on windows !), and I don't know it's technical possible or realistic.

What do you think about it ?

Thank in advance.
JB VERNEJOUX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2012-09-18, 20:00

Some people have already looked into this:
There are some pretty major security implications to doing something like this. Windows does not have a static list of root certs in the
Root Store. Instead, it dynamically "phones home" to Microsoft to check for root certs when a user tries to use an end-entity cert that
chains up to an unknown root cert. Microsoft also adds new root certs without any meaningful end-user notice. The end result is that there is
no way for you to predict what will be in your trusted list.
...
If you wanted Firefox to behave like IE you would have to trigger the "phone home" upon encountering an unknown root cert.
So, it's not really that easy because the Windows cert store doesn't have a solid verification base.
Some preliminary work was done to do this and have the option to use the windows cert store, but the code was never finished and has probably bitrotted severely by now.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

jbvernejoux

Re: Request: switching to windows' certificates store ?

Unread post by jbvernejoux » 2012-09-21, 19:38

OK

I see.
Thank for your feedback.

JB

Blacklab
Board Warrior
Board Warrior
Posts: 1080
Joined: 2012-06-08, 12:14

Re: Request: switching to windows' certificates store ?

Unread post by Blacklab » 2012-09-21, 21:16

[b][color=#0000FF]Moonchild[/color][/b] wrote: ....but the code was never finished and has probably bitrotted severely by now.
Tried a few online dictionaries but no joy.... Please define/explain "bitrotted" for those of us mere mortals struggling to cope with the deluge of techno-speak in the programmers' vocabulary? :)

Today I have already learned that describing a programmer as "low-level" is not a insult but appears to mean he/she is actually rather good and works on the core code as opposed to the "high-level" programmers who work at the GUI end?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2012-09-21, 23:24

Wikipedia is your friend:

http://en.wikipedia.org/wiki/Bit_rot
The term "bit rot" is often used to refer to dormant code rot, i.e. the fact that dormant (unused or little-used) code gradually decays in correctness as a result of interface changes in active code that is called from the dormant code.
This kind of code rot happens when a component in a source tree isn't actively included and untouched for a while, while the rest of the source code sees active development. To make the component usable again, it has to be reviewed and updated when taken up into active development with the other (by now changed) code again.

EDIT:
To clarify your other question: low-level coding is coding "close to the hardware", like directly programming chips and/or the CPU or GPU, or writing a device driver.
high-level coding is coding done with more abstract system calls, like, indeed GUI coding where you would instruct the Windows API to "open a window with these parameters", but also cross-platform coding like any Java or Javascript.
These two types of programming are two completely different disciplines with each their own set of required skills and knowledge.
Once again: Wikipedia is your friend: http://en.wikipedia.org/wiki/High-_and_low-level
Last edited by Moonchild on 2012-09-21, 23:32, edited 1 time in total.
Reason: Clarification low-level/high-level coder
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

alan9182

Re: Request: switching to windows' certificates store ?

Unread post by alan9182 » 2012-09-22, 08:03

Moonchild wrote:Wikipedia is your friend:
...
Once again: Wikipedia is your friend: http://en.wikipedia.org/wiki/High-_and_low-level
After years of using Firefox with only Google search engine as standard,
I was surprised to see that PaleMoon starts with half a dozen engines.
I thought Wikipedia stuck out like a sore thumb amongst them.

With use I have found it very convenient for technical searches to select Wikipedia for a search,
compared with the Firefox default of a Google search and hoping to spot a result pointing to Wikipedia.

Cores8

Re: Request: switching to windows' certificates store ?

Unread post by Cores8 » 2016-05-20, 08:01

As this is an old thread, I would like to know if there are currently any plans to allow Palemoon to use Windows certificate store like Chrome do. It would give Palemoon an important advantage over Firefox.
Thanks.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2016-05-20, 08:56

No, there is no reason why we would switch to Windows' certificate store. Having its own certificate store actually gives Pale Moon a security advantage.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Lucio Chiappetti
Astronaut
Astronaut
Posts: 654
Joined: 2014-09-01, 15:11
Location: Milan Italy

Re: Request: switching to windows' certificates store ?

Unread post by Lucio Chiappetti » 2016-05-20, 10:13

I see just now by chance this resurrected thread but the assumption in the original post
jbvernejoux wrote:As Palemoon is only for windows OS
is plainly wrong. There are Palemoon native Linux users like me !
The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. (G.B. Shaw)

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Request: switching to windows' certificates store ?

Unread post by Nigaikaze » 2016-05-20, 15:48

Lucio Chiappetti wrote:but the assumption in the original post is plainly wrong.
At the time that original post was written, Pale Moon was only available for Windows. The Linux version came later.
Nichi nichi kore ko jitsu = Every day is a good day.

Cores8

Re: Request: switching to windows' certificates store ?

Unread post by Cores8 » 2016-05-24, 10:01

Could I provide one reason why it is interesting that Palemoon is able to read certificates from Windows Store?
In current enterprise environment, for companies like mine, security is based on certificates. These certificates are normally deployed by GPO to Windows store on thousands of PCs. There is no GPO to deploy a certificate on Palemoon/Firefox store. Even if there is any GPO, makes no sense to deploy the certificate to 2 different stores.
If Palemoon were able to read from Windows store, many companies could use this great browser on a daily basis. Off course it should also maintain access to its own current store, specially for Linux compatibility.
Maybe one possible approach is to move the Palemoon/Firefox store to a different layer and let Palemoon access certificates stores existing in the PC (Firefox, Windows or other 3rd party) maybe with an option.
Sorry to disturb you with this request, but I think it is really important.
Thanks.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2016-05-24, 11:07

You cannot use 2 different stores at the same time, due to potential certificate conflicts.
It should be possible to import the desired certificates into our store automatically with e.g. a login script, but that is a challenge the IT/NetAdmins need to tackle.

Enterprise use is not a main target for Pale Moon at this time but if you or other enterprise users want to see the use of the Windows cert store added to Pale Moon, then patches to that effect are certainly welcome. This contribution will have to come from the enterprise side of things since Mozilla also doesn't seem to have an interest in dedicating resources to this kind of client certificate reading.
See also bug #1120350, especially comment 2.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Request: switching to windows' certificates store ?

Unread post by coffeebreak » 2016-05-24, 15:28

Cores8 wrote:In current enterprise environment, for companies like mine, security is based on certificates. These certificates are normally deployed by GPO to Windows store on thousands of PCs. There is no GPO to deploy a certificate on Palemoon/Firefox store. Even if there is any GPO, makes no sense to deploy the certificate to 2 different stores.
If Palemoon were able to read from Windows store, many companies could use this great browser on a daily basis.
and
Moonchild wrote:Having its own certificate store actually gives Pale Moon a security advantage.
I hope this comment isn't ill informed, but here it is. Wouldn't using Windows' certificate store put efficiency (for Enterprise) in conflict with security (for everyone)? Am thinking here of the Lenovo/Superfish situation.

Falna
Astronaut
Astronaut
Posts: 511
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Request: switching to windows' certificates store ?

Unread post by Falna » 2016-05-24, 16:36

coffeebreak wrote:I hope this comment isn't ill informed, but here it is. Wouldn't using Windows' certificate store put efficiency (for Enterprise) in conflict with security (for everyone)? Am thinking here of the Lenovo/Superfish situation.
Yes and No. As I understand it (not a security expert) some/many enterprises already 'break' SSL security by spoofing certificates - effectively using a man-in-the-middle attack - in their firewall to inspect traffic coming in and out of the organisation (another reason not to use corporate networks for private purposes). You can test for it / read more about it at https://www.grc.com/fingerprints.htm

Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything

Hint: If you expect a reply to your PM, allow replies...

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Request: switching to windows' certificates store ?

Unread post by coffeebreak » 2016-05-24, 17:58

Falna, thank you for your response. I should have been more clear -- but was thinking, based on:
Moonchild wrote:You cannot use 2 different stores at the same time, due to potential certificate conflicts.
that if the Windows certificate store was imported to PM it would displace use of Pale Moon's certificate store for all users. Or is this a misunderstanding?

Would it be possible to choose between the two stores and have the unchosen one be treated as if it does not exist?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2016-05-25, 08:59

Don't get me wrong here. I do not ever want to have the Windows certificate store replace our own. That just has too much of an issue (and the answer to the topic title is therefore no)

What the issue here for enterprise users is, is that client certificates cannot be pulled from the Windows cert store, which is what would be needed.
That could be something to add as an optional feature, in a read-only fashion behind a pref for enterprise users.

So, I think the proper solution here is:
  • Keep using our own store to handle, verify and validate server certificates and CS/root chains.
  • Keep using our own store to install new client certificates and verify them.
  • Add an option (behind a pref) to additionally read client certificates from the Windows store for use, if no certificate match is found in our own store.
Considering enterprise use, this should remain a temporary/read-only and non-copying operation (since you don't want a changed GPO to be overridden by previous rights given to a user).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Request: switching to windows' certificates store ?

Unread post by coffeebreak » 2016-05-25, 16:17

Moonchild, Thank you very much.

Cores8

Re: Request: switching to windows' certificates store ?

Unread post by Cores8 » 2016-05-26, 10:09

Thanks Moonchild. I think your approach is good.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: switching to windows' certificates store ?

Unread post by Moonchild » 2016-05-26, 10:16

coffeebreak wrote:Moonchild, Thank you very much.
Cores8 wrote:Thanks Moonchild. I think your approach is good.
Right-o. So, if anyone from the enterprise sector wants to jump in and provide an implementation, e.g. using the designated Windows API to read the Windows certificate store, that would be great ;)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked