797552 - Firefox does not compare the system date against a minimum constant value when using SSL

Status: RESOLVED DUPLICATE of bug 783757

(Core Graveyard :: Security: UI, defect)

Description

[Johannes Roith]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.10 Safari/537.11

Steps to reproduce:

My mom couldn't log into Google Mail and I tried to figure out the problem on the phone. It took 10 minutes until I finally figured out that the system date was set to a decade in the past.


Actual results:

The normal SSL error information appeared, probably with unhelpful information.


Expected results:

Firefox builds should embed a constant value that is generated at build time to define the date when the build was created. The system date should be compared against that value. If it is at least a few days older, the SSL error dialog should give a clear warning "Your system date is set to a date in the past!".

Furthermore, the way things are done currently seems to make an attack possible where the attacker resets the time using NTP in order to use expired SSL certificates ?! So maybe, the check against the constant value should be performed always and Firefox should block all SSL connections.