EV cert support for Firefox

by Matt 29. May 2007 04:10

IE7 introduced support for Extended Validation SSL certificates (aka High Assurance certificates). Any time you hit a site with one of these certs, the address bar changes colour to green. I've previously posted links to a couple of sites Microsoft host that allows you to test this.

While scouring the net looking for ways of integrating this into a project that hosts IE's web browser, I came across this article on Wikipedia, which contained this link to a plugin to enable the nice green address bar in Firefox. And it's written by VeriSign, which is nice of them (considering other CA's certs are going to be in competition with them).

Unfortunately, its support is not as complete as IE7. Currently, it only knows about EV certs from VeriSign, Thawte and GeoTrust. (Wikipedia lists 7 other CA's that support EV.) But it's a good start.

And if you're interested in how EV certs are implemented, just download the Firefox .xpi file and change the extension to .zip. You can see it's got a certs folder, containing various new root certs for the CAs. I don't pretend to know why they need new root certs, or why the old ones can't be used. The chrome folder has a .jar file, which can again be renamed to .zip and extracted. This contains a bunch of css files, some images and some Javascript.

evcextension.js is the file with all the goodies. And it's here where you can really see how messy the EV implementation is. Each CA has their own OID that marks a cert as being EV. (OID is an object identifier. Think of it as the way a cert identifies each of it's properties.) And since each CA has their own, they're all different. So, the process is to walk the certificate chain. If the certificate contains one of the recognised OIDs, the hash of the chained root cert must match the expected hash of the OID matching CA's root cert.

Fairly simple process, but messy - the addin must know about all CAs, all of their root certs and the OID they choose to identify their version of EV. (And there are other parts to implement too, such as changes to the revocation list checking.) So any change to a CA root cert, or adding new, known CA's requires an update to the addin.

The above linked Wikipedia article lists 10 CA's. Theoretically, it should be easy to add support for all of them. Just add the OID's and the matching root certs. Of course, finding all the root certs might be a bit tricky, especially when there looks like there are new ones that need to be downloaded and installed. I wouldn't like to mess here - just leave it to the people who know about this stuff.

Of course, the nice test site run by Microsoft doesn't work because the Firefox addin doesn't know about Microsoft's test root cert. That is something that I wouldn't mind hacking.

So, now we know how to support EV certs. We've got to do a lot of leg work and find out all the CA's that support it, what their OID's are and what their root certs are. If any of them change, we won't get notified. If we do find out they've changed, it's an update to our implementation (and we'd have to be careful about putting that data in config - we don't want it hacked so that any cert can be labeled EV).

Wouldn't it be nice if Internet Explorer exposed its implementation for the rest of us to hook into, especially when hosting the WebBrowser control?

Tags:

Comments (11) -

best suv
best suv
7/20/2011 10:35:15 PM #

Fantastic task I like your type! Would really like to right here your feedback on my website! I am also seeking for someone to help you me make websites!

Reply

luxury cars brands
luxury cars brands
7/21/2011 6:41:12 PM #

Is it ok if I quote your article in my monthly newsletter? I would think this article suits my topic perfectly. Well ya, thanks for posting this article.

Reply

best hybrid cars
best hybrid cars
7/22/2011 3:42:58 AM #

Hi, just required you to know I he added your website to my Google bookmarks due to your layout. But seriously, I consider your net web-site has 1 in the freshest theme I??ve came across. It extremely helps make studying your blogging site significantly easier.

Reply

direct consolidation loans
direct consolidation loans
8/2/2011 9:53:45 PM #

I wonder if he cheated on her? I remember he cheated on his previous wife with JLO so it wouldn’t be surprising.

Reply

Johnathon Paulson
Johnathon Paulson United States
1/15/2016 4:34:22 AM #

the style of keeping you connected with so many things of different types is awesome and you find it interesting everytime.

Reply

Elayne Kew
Elayne Kew United States
1/15/2016 6:24:05 AM #

Congrats! So glad to see this site getting the recognition it deserves, the world can always use a little more awesome.

Reply

Stanley Tocci
Stanley Tocci United States
1/15/2016 6:44:32 AM #

I love the dolphin saving you one.

Reply

Jerald Petula
Jerald Petula United States
1/15/2016 7:19:23 AM #

Let me be the first to say: Congrats, Neil! I've been following this site from day one, and have loved every single day of awesomeness that it has delivered. You deserve all the success coming your way. Keep it up!AWESOME!

Reply

Vonnie Thoen
Vonnie Thoen United States
1/15/2016 8:59:33 AM #

this is awesome like the book of awesome

Reply

Randy Nault
Randy Nault United States
7/20/2016 7:43:08 AM #

Wow very thorough article. Thanks

Reply

Pierre Jungen
Pierre Jungen United States
8/25/2016 4:13:05 AM #

That's a great post. hopefully you will also create a separate blog for smart home design which features home automation.

Reply

Add comment

biuquote
  • Comment
  • Preview
Loading

Rel=Me

Month List

RecentComments

Comment RSS