Closed
Bug 1050100
Opened 10 years ago
Closed 10 years ago
Adding "Security Exception" for self-signed HTTPS sites cannot be done permanently
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: ezegyemailcim123, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140715215148 Steps to reproduce: Example self signed websites: https://lists.openbsd.org/cgi-bin/mj_wwwusr That cannot be added permanently. Actual results: The add "Security Exception" (Advanced->Certificates->View Certificates->Servers) in Firefox 31 ( 31.0+build1-0ubuntu0.12.04.1 ) is grey, so self-signed certificates could be ONLY added as temporary. This is a security issue, since at every Firefox start, the SSL cert need to be added temporary, not permanently. Self signed certificates regarding HTTPS connection are still more then only using HTTP since it could defend from passive attacks, wire-tapping (but if you cannot store it permanently..). Adding a website as "CA" is not a secure solution.. My useragent is: "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0"
|
||
Comment 1•10 years ago
|
||
Are you running Firefox to not save history, or to always start in private browsing mode? That's the only way I can confirm that this happens on 34.0a1.
Hi John, until someone with more knowledge (than me) of Certificates reads this bug can I suggest some reading: A. A short introduction by Mike Kalpy. "New Certificate Verification Library in Firefox 31" http://mike.kaply.com/2014/08/01/new-certificate-verification-library-in-firefox-31/ Mike links to three useful pages: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification This wiki has recently been clarified in light of the recent changes. https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing Since mozilla::pkix became the default for Certificate Verification, in Fx 31, there have been quite few bugs reported. B. As you are using Self Signed Certificates, see also https://wiki.mozilla.org/SecurityEngineering/x509Certs Some reports in bugzilla are about Self Signed Certificates being unverified (using the stricter mozilla::pkix) where they were 'accepted as OK' using the Classic, libpkix, method of verification. C. Some Bugzilla searches: https://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&field0-0-5=cf_crash_signature&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&type0-0-5=substring&value0-0-0=self-signed&value0-0-1=self-signed&value0-0-2=self-signed&value0-0-3=self-signed&value0-0-4=self-signed&value0-0-5=self-signed&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_based_on= https://bugzilla.mozilla.org/buglist.cgi?quicksearch=pkix https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ocsp The 3 above only find open bugs. The next one finds ALL of the bugs where the "Component" is "Security: PSM", more than 2000, including FIXED and DUPLICATE bugs. You may find some of them helpful in diagnosing why your issue occurred and how to fix it. https://bugzilla.mozilla.org/buglist.cgi?all=&component=Security%3A%20PSM&product=Core&query_format=advanced&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&limit=0 I hope this helps. DJ-Leith
|
Reporter | |
Comment 3•10 years ago
|
||
(In reply to Tanner Filip [:tanner] from comment #1) > Are you running Firefox to not save history, or to always start in private > browsing mode? That's the only way I can confirm that this happens on 34.0a1. For security reasons, it's advisable to use a browser in "private" mode - so no data would be leaked if there is a bug from previous website visits or passwords, etc. So it shouldn't matter that a browser is in private or not private mode - regarding this topic.
|
|
Reporter | |
Comment 4•10 years ago
|
||
(In reply to DJ-Leith from comment #2) > Hi John, > until someone with more knowledge (than me) of Certificates reads this bug > can I suggest some reading: > > A. > A short introduction by Mike Kalpy. > > "New Certificate Verification Library in Firefox 31" > http://mike.kaply.com/2014/08/01/new-certificate-verification-library-in- > firefox-31/ > > > Mike links to three useful pages: > > https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate- > verification-in-gecko/ > > https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification > This wiki has recently been clarified in light of the recent changes. > > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing > > > Since mozilla::pkix became the default for Certificate Verification, > in Fx 31, there have been quite few bugs reported. > > > B. > As you are using Self Signed Certificates, see also > https://wiki.mozilla.org/SecurityEngineering/x509Certs > > Some reports in bugzilla are about Self Signed Certificates > being unverified (using the stricter mozilla::pkix) where they were > 'accepted as OK' using the Classic, libpkix, method of verification. > > > C. > Some Bugzilla searches: > > https://bugzilla.mozilla.org/buglist. > cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOP > ENED&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0- > 3=short_desc&field0-0-4=status_whiteboard&field0-0- > 5=cf_crash_signature&query_format=advanced&type0-0-0=substring&type0-0- > 1=substring&type0-0-2=substring&type0-0-3=substring&type0-0- > 4=substring&type0-0-5=substring&value0-0-0=self-signed&value0-0-1=self- > signed&value0-0-2=self-signed&value0-0-3=self-signed&value0-0-4=self- > signed&value0-0-5=self- > signed&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_i > d&query_based_on= > > https://bugzilla.mozilla.org/buglist.cgi?quicksearch=pkix > > https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ocsp > > The 3 above only find open bugs. > > The next one finds ALL of the bugs where the "Component" is "Security: PSM", > more than 2000, including FIXED and DUPLICATE bugs. > > You may find some of them helpful in diagnosing why your issue occurred and > how to fix it. > > https://bugzilla.mozilla.org/buglist. > cgi?all=&component=Security%3A%20PSM&product=Core&query_format=advanced&order > =changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&limit=0 > > I hope this helps. > > DJ-Leith See the https://www.youtube.com/watch?v=fwcl17Q0bpk for a little further info about the topic. For security reasons, it's advisable to use a browser in "private" mode - so no data would be leaked if there is a bug from previous website visits or passwords, etc. So it shouldn't matter that a browser is in private or not private mode - it should store the SSC - self-signed certificate permanently! Ask several Senior IT Security guys that are independent (ex.: not related to goverment) - they will say the exact same. Thank you.
|
||
Comment 5•10 years ago
|
||
(In reply to John Smith from comment #3) > For security reasons, it's advisable to use a browser in "private" mode - so > no data would be leaked if there is a bug from previous website visits or > passwords, etc. This is a conflicting desire - you want to run the browser in "private mode" so that "no data is leaked", but you want the browser to remember security exceptions on disk, which leaks which sites/servers you are connecting to.
|
||
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Linux → All
Hardware: x86 → All
|
|
||
Comment 6•10 years ago
|
||
INVALID per comment 5 - let me know if I've misunderstood!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 7•10 years ago
|
||
THIS IS NOT INVALID, THIS NEEDS TO BE FIXED! PEOPLE!
|
||
Comment 8•10 years ago
|
||
If you turn off private mode (temporarily) can you add the exception? If so then each feature is working as designed, and now that you've added the exception in non-private mode it will be remembered and used when you go back to private mode.
|
|
Reporter | |
Comment 9•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8) > If you turn off private mode (temporarily) can you add the exception? If so > then each feature is working as designed, and now that you've added the > exception in non-private mode it will be remembered and used when you go > back to private mode. Yes Daniel, that perfectly works. Thank you.
You need to log in
before you can comment on or make changes to this bug.
Description
•