[TriLUG] expired ca-certificates in firefox
Matthew Brown via TriLUG
trilug at trilug.org
Tue Oct 19 21:29:11 EDT 2021
On Thu, Oct 7, 2021 at 11:09 AM Joseph Mack NA3T via TriLUG
<trilug at trilug.org> wrote:
> I'm leary of upgrading things like browsers. You wind up downloading the
> universe to update packages, then a bit later, you find something you
> depend on doesn't work anymore. As well I don't like that Firefox has
> removed the buttons at the top and bottom of the scroll bar on the right,
> which allows you to slowly scroll through a webpage. Also if you upgrade,
> the format of the files in ~/.mozilla changes and you can't revert, unless
> you're already prepared and have saved your originals.
>
Please don't do this. Updates fix critical security flaws. Your
browser is one of the biggest attack surfaces on your system and the
most likely vulnerability-based attack vector on your system (other
than trojans, phishing, or physical access).
If you find the regular Firefox updates too volatile, try using
Firefox ESR instead. ESR is only supposed to update with bug fixes for
a set amount of time and not touch the UI or anything else for a while
compared to regular Firefox.
You can also use Chromium (which has better sandboxing anyway based on
what I have read) but be sure it is regularly on version parity with
the stable release of Google Chrome or you have the same risks.
Indeed, an outdated Chromium is even worse because it may be more
attractive for attackers due to the larger installed base of Chrome
(plus Chrome updates on a frequent basis with many out-of-cycle
security patches, so the opportunity to be out of date is more
frequent).
> I found that my current version of Firefox (with slow scrolling) actually
> can get to all the sites I want (after granting a security exception) on
> the VM. So for the moment being able to get to sites has been handled.
This forgoes the certificate trust system entirely and opens you up to
MitM attacks. In theory a trust-on-first-use-based approach would be
fine assuming you were not being attacked when you first accepted the
certificate, but when I monitored browser certificates many years ago
it was not uncommon for them to change regularly. Each manual
acceptance is another attack opportunity. Please don't do this either.
More information about the TriLUG
mailing list