NSS is a set of libraries to facilitate cross-platform development of security-enabled applications. It provides the framework and API for security tools, debugging, and diagnostics.
This how-to guide begins with a comprehensive introduction to the topic that cites relevant data and statistics. It then lays out a clear roadmap to the end goal.
Authentication
Authentication is verifying that someone is who they say they are. It can be accomplished by comparing a password or other secret information to a record the person is expected to have, such as a driver’s license or credit card. It can also be done by matching a public key with a certificate, which can be used to verify a server’s or other party’s identity.
NSS provides a secure way for applications to incorporate SSL, TLS, and PKCS #11 into their products. In addition, NSS includes support for other Internet security standards, including X.509 certificates and S/MIME.
The NSS libraries contain an implementation of the PKCS #11 standard and can use hardware TLS/SSL acceleration devices on servers and smart cards on client machines. It works with standard Internet application protocols (such as HTTP, POP3, FTP, SMTP) and custom applications using TCP/IP.
NSS is built on top of the Netscape Portable Runtime (NSPR). NSPR is an open-source API for system services designed to provide an abstraction from the underlying operating system platform. Python-NSS exposes elements of the NSPR API and is therefore bound to the same platform independence limitations as NSPR itself.
Encryption
Network Security Services (NSS) libraries enable cross-platform development of security-enabled client and server applications. Apps built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS#11, S/MIME, and X509 v3 certificates. NSS is available as a source and as shared dynamic libraries. Every NSS release is backward compatible, enabling applications to upgrade to new NSS libraries without recompiling or relinking.
NSS also provides security tools for debugging, diagnostics, certificate and key management, cryptography module management, and other development tasks. These tools are available as command-line executables and libraries, which the NSS APIs can access. They are used by applications to verify that NSS conforms to security protocols and other standards.
A vulnerability in the libssl library that ships with NSS could allow an attacker to forge RSA signatures, including SSL certificates. Mozilla Firefox, Thunderbird, SeaMonkey, and other 3rd party software use this library. Successful exploitation of this vulnerability could lead to arbitrary code execution in the affected application. If the affected application has administrative privileges, the attacker can install programs; view, change, or delete data; or create accounts with full user rights.
Signing
Creating signed certificates in NSS is done with the certutil command. It is an essential tool you should become familiar with as it is used by many other programs that communicate with NSS (such as IPsec new host key and IPsec rsasigkey). The command line is identical for all platforms:
It has been discovered that some NSS libraries have a vulnerability in the RSA signature validation code that could allow an attacker to forge signatures. It affects the NSS libraries used by Mozilla products such as Firefox, Thunderbird, and other NSS software.
The NSS library is a set of cryptography libraries that support SSL v2/v3, TLS, PKI, PKIX, PKCS #5, PKCS #7, PKCS #11, S/MIME, and X.509 certificates. It is used extensively by significant software projects.
The NSS libraries are FIPS 140-2 certified and provide an API that supports core SSL/S/MIME operations. This API is guaranteed to remain backward compatible with future releases of the NSS library. The python-NSS package provides a Python binding for the NSS/NSPR libraries. This binding is recommended for developers to create secure, cross-platform applications that support NSS and other Internet security standards.
Reliability
NSS libraries are widely used in many browsers, applications, and other products. As such, vulnerabilities in libraries can have a widespread impact. Attackers can exploit these vulnerabilities to bypass security measures and obtain sensitive information.
NSS Labs is dedicated to providing empirical data and objective group test results that help organizations make informed decisions about purchasing and optimizing security products. We encourage all vendors of security products to participate in our group tests. Our group tests are free of charge to participating vendors.
Python-NSS is binding for NSS (Network Security Services) and NSPR (Netscape Portable Runtime). It is similar to how Python provides an abstraction layer above IO, sockets, threads, timers, etc. NSPR is an API that encapsulates system-level functions, which can vary significantly between different platforms and operating systems.
Before NSS version 3.35, NSS used an old and deprecated database engine known as DBM. This engine had several limitations, including restricting the number of processes sharing a DBM file simultaneously. Consequently, keeping multiple copies of the NSS databases for each function in separate files was necessary.
This restriction was removed in NSS version 3.35, and NSS moved to an SQLite-based database. However, some applications remained tied to their legacy NSS databases. To support these applications, NSS provided an optional mode in which NSS would merge their NSS databases with the new shared NSS databases but otherwise act as if they are using their own NSS databases.
