TLS for Firefox on GNU/Linux
TLS Positive Overrides
Firefox for GNU/Linux can be used with Namecoin for TLS positive overrides; this allows certificates for .bit
domains that match the blockchain to be used without errors. Instructions:
- Find your Firefox profile folder; it will usually be a subfolder of
$HOME/.mozilla/firefox
. For example,$HOME/.mozilla/firefox/r3a8ono6.default
. - Make sure that your Firefox profile folder is readable and writeable by the user who is running ncdns.
-
Add the following to
ncdns.conf
, substituting your Firefox profile folder for$PROFILEDIR
:[tlsoverridefirefox] sync=true profiledir="$PROFILEDIR"
- Restart ncdns.
TLS positive overrides will only be synchronized to Firefox while Firefox is not running; this means that, every so often, you should close Firefox for a few minutes and then re-open it.
You can now visit in Firefox a .bit
website that supports TLS, e.g. the Namecoin forum’s .bit
domain. The website should load in Firefox without errors.
TLS Negative Overrides
Firefox for GNU/Linux can be used with Namecoin for TLS negative overrides; this prevents malicious or compromised public CA’s from issuing certificates for .bit
domains. Instructions:
Important warning for users of TLS intercepting proxies: these instructions will probably cause your intercepting proxy to produce an HPKP error for HTTPS websites that use HPKP. Right now, Namecoin TLS negative overrides for Firefox are not compatible with TLS intercepting proxies that try to intercept HPKP-enabled websites. If you haven’t deliberately installed a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you can probably ignore this warning.
Note: Installing Namecoin TLS negative overrides for Firefox might cause previously-unnoticed attacks against you, e.g. from malicious surveillance infrastructure, to produce visible errors (even if those attacks are trying to intercept non-Namecoin connections).
- Go to
about:config
in Firefox. - Search for
security.cert_pinning.enforcement_level
. - Double-click the
security.cert_pinning.enforcement_level
preference. - Enter
2
and click OK. - Search for
security.cert_pinning.process_headers_from_non_builtin_roots
. - Double-click the
security.cert_pinning.process_headers_from_non_builtin_roots
preference until theValue
column saystrue
. - Close the
about:config
tab in Firefox. - Restart Firefox.
- Create a temporary directory; make sure that it only is readable/writeable by a user whom you trust with access to the Firefox certificate database. Note its path; make sure you use forward-slashes instead of backslashes, and leave off the trailing slash.
- Find your NSS directory; it will usually be a subdirectory of
$HOME/.mozilla/firefox
. For example,$HOME/.mozilla/firefox/r3a8ono6.default
. Make sure you use forward-slashes instead of backslashes, and leave off the trailing slash. -
Run the following, substituting the temporary directory and NSS directory for
$TEMP_DIR
and$NSS_DIR
:./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$NSS_DIR"
- Wait a few minutes for
tlsrestrict_nss_tool
to finish running.
You’ll need to rerun the above tlsrestrict_nss_tool
command whenever the built-in certificate list is updated. You won’t need to redo the about:config
steps, though.
If you’ve manually imported any non-built-in TLS trust anchors to Firefox, and you want to restrict them from intercepting .bit
traffic, you should do the following for each such trust anchor:
- Get a DER-encoded certificate of the trust anchor.
-
Run the following, substituing the path to your trust anchor certificate for
$CERT_PATH
:./cross_sign_name_constraint_tool --cert.input-root-ca-path="$CERT_PATH"
- 3 new certificates will be created:
root.crt
,intermediate.crt
, andcross-signed.crt
. - Delete the existing trust anchor from Firefox.
- Import
root.crt
into Firefox; mark it as a trusted TLS root CA. - Import
intermediate.crt
andcross-signed.crt
into Firefox; do not mark them as trusted.
If you decide later that you want to remove the negative overrides from Firefox, follow these instructions:
-
Run the following:
./tlsrestrict_nss_tool --tlsrestrict.nss-temp-db-dir="$TEMP_DIR" --tlsrestrict.nss-dest-db-dir="$NSS_DIR" --tlsrestrict.undo
- Wait a few minutes for
tlsrestrict_nss_tool
to finish running. - If you want to restore compatibility with TLS intercepting proxies, follow these steps. If you don’t want to use a TLS intercepting proxy, or if you don’t know what a TLS intercepting proxy is, you probably don’t need to do this.
- Go to
about:config
in Firefox. - Search for
security.cert_pinning.enforcement_level
. - Right-click the
security.cert_pinning.enforcement_level
preference. - Click
Reset
. - Search for
security.cert_pinning.process_headers_from_non_builtin_roots
. - Right-click the
security.cert_pinning.process_headers_from_non_builtin_roots
preference. - Click
Reset
. - Close the
about:config
tab in Firefox. - Restart Firefox.
- Go to
Screenshot
If a .bit
HTTPS website uses a CA-signed certificate that doesn’t match the Namecoin blockchain, an error like this will be displayed: