Closed
Bug 797552
Opened 12 years ago
Closed 12 years ago
Firefox does not compare the system date against a minimum constant value when using SSL
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 783757
People
(Reporter: johannes, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.10 Safari/537.11 Steps to reproduce: My mom couldn't log into Google Mail and I tried to figure out the problem on the phone. It took 10 minutes until I finally figured out that the system date was set to a decade in the past. Actual results: The normal SSL error information appeared, probably with unhelpful information. Expected results: Firefox builds should embed a constant value that is generated at build time to define the date when the build was created. The system date should be compared against that value. If it is at least a few days older, the SSL error dialog should give a clear warning "Your system date is set to a date in the past!". Furthermore, the way things are done currently seems to make an attack possible where the attacker resets the time using NTP in order to use expired SSL certificates ?! So maybe, the check against the constant value should be performed always and Firefox should block all SSL connections.
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•