CA-Knockout Add-On

for Firefox / Thunderbird / SeaMonkey / Instantbird

Download latest version: CA-Knockout 0.2.9
When installing, make sure your software displays my name (Kai Engert), to ensure it is properly digitally signed.

What is this all about and how does it work? Please read my related blog post.

Very short summary:

• It is an experimental mechanism to deliver information about revoked CA Certificates to your Mozilla based software, such as Firefox, Thunderbird, SeaMonkey.
• This mechanism might work quicker than waiting for official updates, at least until a similar mechanism gets added to the original software.
• If your connection to the Mozilla update servers is blocked, this Add-On offers you an alternative mechanism to achieve similar results. You may receive a digitally signed (by me) text file, from your friends, and you can use menu command Tools/CA-Knockout/Import to import it.

Status of the Add-on? Experimental, but seems to work. Feedback and code review welcome. (Because of the limitation of external APIs, the usability could be improved.)

Who decides which CA certificates will be removed? Only Mozilla. This Add-On will deliver trust removals that matches what the Mozilla.org project decided regarding trust of CA certificates.

How does the Add-On ensure that no other data will be imported? The contents are digitally signed, with a code signing certificate that I have received from StartCom. The certificate is embedded in the Add-On. Before processing any data, the Add-On will check that my certificate is still valid. Then it will check if the data is signed with my private key, by checking against my embedded public key. All data failing the checks will be ignored. (For related code see Mozilla's Bugzilla bug 685852 and bug 390615.)

Where is the knockout data published? Currently at this server. This is the first step, my server probably won't survive a large amount of downloads from millions of users. The next step would be to get people to set up mirrors for the data file, and embed the mirror URLs in the Add-On, and pick a random mirror URL for downloading.

Who am I and why should you trust me? Well, I don't ask that you trust me, that's your own decision. However, I've been contributing to the Mozilla project and its security code since 2001. I've been involved in creating the patches to remove DigiNotar from the Mozilla/NSS library. I'm not making decisions about the Mozilla trust list, this is covered by the Mozilla CA policy and a public process. However, I've been often involved in executing the technical changes.

Is this an official Mozilla project? No, currently this project is my personal initiative.

Changelog:
Version 0.2.9 Enabled automatic updating - Reduced number of prompts (when importing 12 certs, no longer showing 12 dialogs, only 7)
Version 0.2.7 Made compatible with Instantbird 1.0
Version 0.2.6 Made compatible with versions as old as Firefox 3.6, Thunderbird 3.1, SeaMonkey 2.0
Version 0.2.5 fixes a bug with automatic update
Version 0.2.1 initial version