Sukhbir Singh:
Hi list,
We are thinking of including certificates for OFTC, CCC, etc. with Tor Messenger, since some of these popular chat servers use self-signed certificates. Quick questions about this:
Is this a good idea -- including these certificates by default? Or should we let the users click on "add exception" and then add the certificates themselves?
What is a good way of achieving this (adding these certificates) as part of the build process? I can't seem to find a "proper" way and documentation seems to be lacking. I think we have to update cert8.db as part of the default profile, but I was wondering if there is some documentation or a preferred way of doing this.
So far, we have avoided mucking with the cert store in TBB, mostly because we did not want to invite a slough of discussion and requests relating to this, because we're not equipped to make these sorts of policy decisions organizationally at this point.
However, the use cases you describe seem like decent ones. I think you might be hard-pressed to find an official way to add a self-signed leaf cert -- most of what you'll find will be about adding certs into the source code as a proper CA, which is something you definitely don't want to do (but the constraints on the self-signed cert *should* make this impossible).
For this reason, the cert8.db might be the most direct way of accomplishing what you want, but you might also have a look at doing this from an addon. For example, Moritz maintains a ca-cert enabling addon: https://github.com/moba/cacert-firefox-addon
Again, that is an addon specifically designed for adding CAs. I am not sure if the same mechanism can be used to add self-signed certs. Probably, but be careful?