Firefox refresh resets certificate storage out of sandbox

[Dun]

1. Sandboxed firefox -> about:support -> Refresh Firefox
2. Certificate storage out of sandobx has been restored to default one

Why?

[btm]

I'm not quite sure what you are talking about when you say 'certificate storage'. I use PaleMoon, a firefox offshoot, and it has a window called 'Certificate Manager' which I suspect you may mean here...My guess would be it depends on the options you've selected in the exclusion settings for the browser inside SBIE. Firefox stores its certificates in the (C:\Documents and Settings\*USER*\Application Data\Mozilla\Firefox\Profiles\) profile folder in a cert8.db file (similar to PaleMoon except for a minor path variation as far as I can tell) so if you've selected "Allow direct access to entire Firefox profile folder" in SBIE that may very well be why.

[Dun]

I definitely did not select the "Allow direct access to entire Firefox profile folder" option. Here is my configuration:
http://pastebin.com/ZBfRBnfV
As you can see Firefox sandbox is pretty much defaults + dropped rights

Here is the video. It shows that Adguard and ESET certificate is missing outside of sandbox after performing 'refresh firefox' inside of sandbox.

Here is the video:
https://youtu.be/URbQhzpahd0

In the video I've done the following:
1) cleaned Firefox sandbox
2) shown that sync was disabled and shown that Adguard and ESET certificate is present outside of the sandbox
3) started sandboxed firefox and shown the same things as 2) inside of sandbox
4) run 'refresh firefox' inside of the sandbox and did not recover any files
5) shown that Adguard and ESET certificates are missing inside of sandbox, which is OK
6) shown that Adguard and ESET certificates are missing outside of sandbox, which is not OK

[Dun]

I just checked it out and it does not matter if you set the folder where you have firefox installed as forced or not.

[btm]

It appears I was incorrect as to which option enabled this db to be saved. It's actually a part of the 'phishing' option as found in the firefox template of the templates.ini though I expect direct access to the profile folder would allow this as well. Would you try making sure this option is disabled and re-test to see if that solves the mystery?

Code: Select all

[Template_Firefox_Phishing_DirectAccess]
Tmpl.Title=#4337,Firefox/Waterfox/Pale Moon
Tmpl.Class=WebBrowser
ProcessGroup=<FirefoxPrograms>,firefox.exe,waterfox.exe,palemoon.exe
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier.pset
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier*.sqlite*
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\cert8.db
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\blocklist.xml
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\safebrowsing\*

[Dun]

Thank you for your reply btm.

This setting:

Code: Select all

OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\cert8.db

is responsible for certificate storage.

The phishing template was recently revised so that the certificates file and the add-ons blocklist file are also saved outside of the sandbox, in the Firefox profile folder.
The certificates file because: hackers stole items that enabled them to create false certificates, and Firefox needs to update the certificates data, as false certificates are found.
The blocklist file because: once each day Firefox will download a list of add-ons that are known to be dangerous and should be blocked from use.
So disabling the Firefox phishing template could be bad for your computer's security.

Source: http://forums.sandboxie.com/phpBB3/view ... 888#p74888

This does not answer the question why OpenFilePath is used. The way it works by default sandboxie does not allow to have multiple certificate storages - separate for every single sandbox. Why?

[bo.elam]

This does not answer the question why OpenFilePath is used.

I believe that is so all updates related to phishing, blocklist of sites, etc, is updated silently and as a tiny update. Otherwise, the entire database that has been updated since last time you ran Firefox unsandboxed, would have to be downloaded every time you run Firefox sandboxed .

Bo

[Dun]

I added

Code: Select all

ReadFilePath=<FirefoxPrograms>,%USERPROFILE%\*\cert8.db

to global settings in sandboxie.ini. Currently when I use refresh firefox in sandbox, it resets certificate database inside sandbox while database outside of sandbox stays untouched. So it works as I wanted now. So far I haven't seen cert8.db file in C:\Sandbox\%USERNAME%\Firefox\user\current\AppData\Roaming\Mozilla\Firefox\Profiles\%USERPROFILE% so I'm not sure how it works exactly. Should the file be created there automatically some time later?