Closed Bug 656410 Opened 13 years ago Closed 8 years ago

Add trust bits field to certificate manager UI

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kathleen.a.wilson, Unassigned)

References

(Blocks 1 open bug)

Details

In the Certificate Manager please add a way for the user to easily see, at a glance, which trust bits are enabled for the roots in the Authorities list.

One possible way to do this would be to add columns indicating the on/off status of the websites, email, and code signing trust bits. Another possibly way is via mouse-over; e.g. show the trust bits when the mouse is hovering over a particular root. The important thing is to make it easier for the user to see this information. Currently the user has to click on "Edit Trust..." to see the information, one root at a time.
(In reply to comment #1)
> Are you aware of
> https://addons.mozilla.org/en-US/firefox/addon/cert-viewer-plus/
> ?

Yes, I've had this add-on installed for a while now, and I have found it to be very useful.

Among other useful things, this add-on provides the following functionality:
On the "Details" tab, the trust configuration (SSL/Mail/Code) is shown for each certificate, and can be edited in newer releases of Firefox/Thunderbird/Seamonkey. 

It would be terrific if this functionality could also be added to the list of certificate authorities displayed in the Certificate Manager.

This particular bug is requesting that UI be added to the Certificate Manager, so that when I am viewing the list of Authorities I may easily see the Trust Bit settings for each cert.
I have been told that we expect that this UI will get completely redesigned, minimized, moved to an extension, and/or thrown away in the (near?) future, at least for Firefox. I would not bother with this enhancement request until we have the new UI design.
(In reply to comment #3)
> I have been told that we expect that this UI will get completely redesigned,
> minimized, moved to an extension, and/or thrown away in the (near?) future,
> at least for Firefox. I would not bother with this enhancement request until
> we have the new UI design.

This is news to me, and while I think the UI desperately needs a rework, I'd be worried about plans to remove it, and doubly worried to have not heard about them - is there more information somewhere about this, or someone we should contact to comment here?
(In reply to comment #4)
> (In reply to comment #3)
> > I have been told that we expect that this UI will get completely redesigned,
> > minimized, moved to an extension, and/or thrown away in the (near?) future,
> > at least for Firefox. I would not bother with this enhancement request until
> > we have the new UI design.
> 
> This is news to me, and while I think the UI desperately needs a rework, I'd
> be worried about plans to remove it, and doubly worried to have not heard
> about them - is there more information somewhere about this, or someone we
> should contact to comment here?

I mentioned to Brian that I had plans to tackle the mess that is the Certificate Manager and the Device Manager which today offers little or no value to even experienced users beyond the ability to import a certificate. I don't have this on any near-term list though. That no one has ever put tacking it on a near term list is probably the reason for its dreadfulness :-)
(As an aside, do we really think that adding anything to the current interface adds any value at all? I honestly wouldn't put any effort into improving what's there, nor would I ever encourage any user to ever open that dialog. I've actually had it (literally) break my Firefox just opening it, scrolling around and _viewing_ authorities.)
I do not know the exact plan or if there is one, exactly. A couple of months ago, I met with Limi about improving the UI to deal with especially problematic aspects (e.g. You have to disable AddTrust roots as well as USERTrust roots, otherwise the USERTrust roots won't be disabled since they are cross-signed by the AddTrust roots, but this relationship isn't clear in the UI). His response was that we should just remove the whole UI, possibly offering it as an add-on.

I think we need to improve the automatic certificate management for our users so that they never have to use this UI.
I agree. I don't think a user should ever find herself in the certificate manager. If she does, we've failed. That's an administrator-level tool.

Microsoft doesn't even provide UI access to Certificates Manager snap-in within the MMC. You get at it from typing certmgr.msc into the run dialog.
(In reply to comment #8)
> Microsoft doesn't even provide UI access to Certificates Manager snap-in
> within the MMC. You get at it from typing certmgr.msc into the run dialog.

Internet Options -> Content -> Certificates
I stand corrected. So they have two distinct managers. Still feels like administrative features and not user-land.
(In reply to comment #8)
> I agree. I don't think a user should ever find herself in the certificate
> manager. If she does, we've failed. That's an administrator-level tool.

Just removing it doesn't provide any value either. The more advanced users should have an option to easily manage certificates (Authority and otherwise). Improvements are welcome of course.

I probably use the certificates dialog a couple of times per day and it never broke anything. I'm surprised that this happened to you.
Don't remove features. Just because you don't have a use for it, or because some people don't understand it, doesn't mean it's useless.

If you want to make it clear that people shouldn't mess with it, unless they understand what they're doing, then make that clear in the UI (think about:config warning).

The certificate manager is deeply hidden in preferences, and most people won't ever go there.

Opening certificate manager cannot mess up your profile, unless you click action buttons and change settings.
The day will come, when a major CA will be compromised and have its secret key stolen. That day we will all be happy, that it will be possible to publish a series of actions, that users can use to disable that CA.

If you removed that ability, if you required to install an addon before disabling trust, that's counterproductive. Most users will not have that addon, but everyone would need the addon to disable trust. How do you verify that your addon is trustworthy while your settings trust a compromised CA?

I believe the trust settings are an essential part of the SSL functionality that our software offers, and should never be removed from the core product.
Please do not remove the Certificate Manager. I believe there are many security-aware users who use this interface. 

It would be fine if the enhancement that I requested in this bug is done via an add-on. I understand the desire to revamp the UI, but it does work.

Note that the reason that I filed this bug is because other users have mentioned the need. While I personally use the Certificate Manager regularly as part of my job, I would not have filed this bug if it was just something I wanted as a convenience. Several different people have mentioned that they manage the certificate authorities list in their Firefox browser (mostly to turn off the trust bits for the roots they don't want), and would like to be able to see at a glance what the trust bit settings are for the certs in the list.
Anything new on that issue which is nearly half a decade old?

Especially since Mozilla seems to include nowadays any certificate as long as the owner is running to pay the fees, regardless of whether these are inherently untrustworthy from totalitarian countries, and even when these CAs had been found to create forged certs and most probably used the for attacks,... it would seem pretty convincing that users are given a simpler way to see whom they trust.

Or is it intentional that user have no easy way of knowing whom Mozilla decides for them to trust?

For the same reasons I've added a similar request, bug #1234111, asking to include the country field of the certificate's subject/issuer.
Similar issues that effectively lead to changes of the cert store to be hidden from the user include bug #1078764 and #1234112.

Cheers.
(In reply to Christoph Anton Mitterer from comment #18)
> Anything new on that issue which is nearly half a decade old?
> 
> Especially since Mozilla seems to include nowadays any certificate as long
> as the owner is running to pay the fees, 

Mozilla's root inclusion process is described here:
https://wiki.mozilla.org/CA

Mozilla does not collect fees from CAs.

> Or is it intentional that user have no easy way of knowing whom Mozilla
> decides for them to trust?

You might be interested in the Certificate Manager Add-on. Information about it here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/qM2eNuO7dIM/Z9yp8n8tAgAJ

By the way, if you are interested in changes to the root store, the information is provided via the following wiki pages:
https://wiki.mozilla.org/CA:IncludedCAs
https://wiki.mozilla.org/CA:PendingCAs
https://wiki.mozilla.org/CA:RemovedCAcerts

Cheers.
This is more appropriate for add-ons to provide (for instance, the add-on mentioned above (more direct link: https://addons.mozilla.org/en-US/firefox/addon/certificate-manager/ ) already has this functionality).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.