Open
Bug 1172499
Opened 10 years ago
Updated 2 years ago
Remove preferences for OCSP from about:preferences
Categories
(Firefox :: Settings UI, defect, P5)
Firefox
Settings UI
Tracking
()
NEW
People
(Reporter: rbarnes, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [photon-preference])
User Story
Currently the OCSP preferences UI does not actually reflect the options available, and may incorrectly reflect the state (value 0 and 2 are shown the same). We need to fix the UI, or decide it's an advanced option that should be hidden (for much the same reasons the "_Require_ OCSP" pref is only a hidden pref: it causes random site breakage that users may not understand).
Attachments
(1 file, 1 obsolete file)
|
75.59 KB,
image/png
|
Details |
Screnshot of OSCP preferences
In bug 1010068, we added a third option (besides 0 and 1) to the preference security.OCSP.enabled. (Option 2 means "only fetch for EV".) As :keeler notes in that bug [1], there is UI for this pref, and that UI can only express two levels (it's a checkbox).
When the pref is set to a value other than 0/1, the UI displayed is the same as for the value 0. This creates a risk that an advanced user could set the pref to 2 in about:config, then see the box un-checked in the UI and check it, resetting the pref to 1.
Simply changing the logic so that any value greater than 0 caused the box to be checked would be an improvement. But the better answer would be to have the UI actually reflect that there are multiple behaviors here.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1010068#c27
While filing bug 1390673, I noticed that this bug has had no action since it was filed 2 years ago. Do we still intend to make this change?
|
||
Comment 2•7 years ago
|
||
Beyond updating the UI to express the new choice, we should also consider removing the UI altogether. It was one thing when it was buried in an Advanced section of prefs, but this is much more visible now and people probably won't understand the implications. Plus we're considering turning off OCSP by default for perf reasons (intermediates will be covered by CRLsets, and OCSP for leaf certs is unreliable exactly when you most need it), although OCSP will in fact save folks in situations with lazy attackers who don't bother blocking OCSP requests because the majority of their victims (Chrome users) don't check OCSP.
Flags: needinfo?(jjones)
|
|
||
Updated•7 years ago
|
User Story: (updated)
|
||
Comment 3•7 years ago
|
||
I support removing this UI. It's only useful for people who already know what revocation is, and they'll probably want to set other, hidden about:config values anyway.
I support removing it, as a total bystander, and would prefer to wontfix my bug 1390673 - once its removal bug is filed.
|
||
Comment 5•7 years ago
|
||
I agree with removing the OCSP preference.
OCSP is not an easily-understood technology, particularly what happens when it fails, or how it interacts in the larger picture with OneCRL. (This is something I know we're planning to write up more entries on SUMO over).
I'm okay with either re-titling this bug, or WONTFIXing it and opening a follow-on to remove the preference.
Flags: needinfo?(jjones)
|
||
Comment 6•7 years ago
|
||
Jared, could we do this cleanup as part of the photon prefs work, given it's "just" removing code in the prefs? Seems there's rough consensus to rm the pref. :-)
Flags: needinfo?(jaws)
|
||
Comment 7•7 years ago
|
||
Yes, we could do this as cleanup, as it will also make our prefs easier for users by removing ways for users to get confused and make changes to Firefox that they won't easily understand.
Blocks: photon-preference
Flags: needinfo?(jaws)
Summary: Update preferences to handle new OCSP options → Remove preferences for OCSP from about:preferences
Whiteboard: [photon-preference][triage]
|
|
||
Comment 8•7 years ago
|
||
Which preferences in the attached screenshot should be removed? I have marked them as A, B, and C.
Flags: needinfo?(jjones)
|
|
||
Comment 9•7 years ago
|
||
Updated the screenshot to also include the Certificates section (marked as D)
Attachment #8898362 -
Attachment is obsolete: true
|
|
||
Comment 10•7 years ago
|
||
(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #9)
> Created attachment 8898363 [details]
> Screenshot of OSCP preferences
>
> Updated the screenshot to also include the Certificates section (marked as D)
Only "A" should be covered by this bug. I don't think there's consensus for removing anything else. Thanks, :jaws!
Flags: needinfo?(jjones)
|
|
||
Comment 11•7 years ago
|
||
Thanks, looks like we will need to move "B" and "C" to be in line with "D" then. Helen/Tina, would that be OK with you?
Flags: needinfo?(thsieh)
Flags: needinfo?(hhuang)
|
||
Comment 12•7 years ago
|
||
Sure! I'm happy that we're removing A :)
Let's move the "B" and "C" next to the body text in "D", thank you!
Flags: needinfo?(thsieh)
Flags: needinfo?(hhuang)
|
||
Updated•7 years ago
|
Priority: -- → P5
Whiteboard: [photon-preference][triage] → [photon-preference]
|
|
||
Comment 15•7 years ago
|
||
Now that I think about it, we should probably remove section D as well - it's a privacy disaster if a user chooses "Select one automatically".
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•