Closed Bug 1088622 Opened 10 years ago Closed 7 years ago

EV sites survive EV status in the cache without revalidation

Categories

(Core :: Security: PSM, defect)

31 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 660749

People

(Reporter: KaiE, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [psm-blocked])

As reported in bug 1062589:

The EV status of web sites survive in the cache, when it shouldn't.

If a required intermediate CA cert has been removed from the cert database, the EV status is still shown, even after shift-reloading.

You should consider to never cache EV status across Firefox restarts.

Potentially you should even invalidate all cached EV status after any change to the NSS certificate database (which you might be unable to detect if it's a shared NSS database, so clearing at least after each restart might be a good idea).
In the particular scenario:

- at the time EV status was correctly given, an intermediate, cross signed certificate
  was present, which allowed to find a chain to one of the EV enabled roots

- at the time of loading the page again at a later time, that cross signed intermediate
  had been removed, the only discoverable chain was to another root CA certificate
  that isn't EV enabled
This would probably be fixed by bug 660749.
Depends on: CVE-2011-0082
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.