Closed Bug 1100734 Opened 10 years ago Closed 10 years ago

"Delete or Distrust" and "Edit Trust" root CA cannot persist in Firefox for Tor Browser

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
31 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: anonymous.abc, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20100101

Steps to reproduce:

Config: Debian Wheezy 7.7 32bit, Firefox ESR 31.2.0 (Tor Browser 4.0.1 Linux 32bit version)

Below approaches to distrust/delete CNNIC root and China Internet Network Information Center EV certificate root had been tried. But neither of them worked.

Approach 1: "Delete or distrust" two CA root one by one in Preference/Advanced/Certificates/Authorities. Restart Tor Browser and open "https://www.cnnic.cn".

Approach 2: In Preference/Advanced/Certificates/Authorities, click "Edit Trust" and uncheck all the boxes. Click "OK". Restart browser and open "https://www.cnnic.cn".


Actual results:

Result of approach 1: After restart, these CA roots were still there. And websites signed by CNNIC SSL (https://www.cnnic.cn) can still be opened without any warning.

Result of approach 2: Clicking "OK" cannot close it, while only "Cancel" worked. After restart, those unchecked boxes were checked again, while websites signed by CNNIC SSL can still be opened without any warning.


Expected results:

Expected result of approach 1: CA root deleted or distrusted should disappear in the trust list after restart. And browsing websites signed by CNNIC SSL (https://www.cnnic.cn) should be stopped with warning.

Expected result of approach 2: Clicking "OK" should work. After restart, those unchecked boxes should persist. Browsing websites signed by CNNIC SSL (https://www.cnnic.cn) should be stopped with warning.
OS: Windows 7 → Linux
Hi Jack, thanks for filing this bug. However, apparently this behavior is by design:

https://www.torproject.org/projects/torbrowser/design/#disk-avoidance
https://gitweb.torproject.org/tor-browser.git/commitdiff/8904bfc10cd537bd35be5ddd23c58fdaa72baa21
https://gitweb.torproject.org/tor-browser.git/blob/refs/heads/tor-browser-31.2.0esr-4.5-1:/browser/app/profile/000-tor-browser.js#l29 (this is where it appears to be enabled by default)

I think the idea is to prevent things like caching intermediate certificates when visiting sites, but this has the side-effect of immediately forgetting any changes that would need to be persisted in the read/write certificate db. Root CAs come from the read-only certificate db. The only way to change their trust values is to essentially save a copy of them in the read/write db. Without it, those changes immediately get forgotten (everything is basically ref-counted and garbage-collected, so as soon as you close the certificate manager, those changes aren't persisted).

Looks like you can change this if you want by flipping the pref security.nocertdb in about:config (requires a restart).

Since this is a result of changes Tor made, this isn't really a bug in Firefox. I would resolve this "NOTABUG", but since that doesn't exist, "INVALID" will have to do.

See also things like https://trac.torproject.org/projects/tor/ticket/13452 and https://trac.torproject.org/projects/tor/ticket/13353
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.