After upgrade to Firefox 39.0 Master Password block access to Passwords and Digital ID Cards

UNCONFIRMED
Unassigned

Status

()

--
major
UNCONFIRMED
3 years ago
2 years ago

People

(Reporter: konzack.michelle, Unassigned)

Tracking

39 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [passwords:master-password])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

First of all, my Compaq Presario CQ58 was newly installed in Oktober 2014 and I use since then Firefox which is regulary update.  Currently in version 39.0

I am using the Estonian eID Digital Card and it was working up to Saturday 2015-07-11 4:00 morning

Since 8:00 it ask me, whenever I insert my Digital ID Card for the Master Password which I do not have since I have never used it.

Also my arround 6800 passwords stored on the Laptop are not more accessible

I am working as freelance and without access to my passwords and ID cards for identification I am jobless!!!

I have installed an Add-On to save my passwords as XML file in clear text, exported all important certs, and set SYNC to NO and reseted the whole Firefox using

chrome://pippki/content/resetpassword.xul

Anything is gone now and but I have still the same problem!





Actual results:

Firefox is still asking me to enter the "Master Massword" even if it was NEVER set.

I am Jobless without a working Firefox.

Note: A new Firefox 39.0 installation on a Thinkpad R40 has the same issue.
I have installed the Estonian ID Card software and if I try to login into http://eesti.ee/ it ask for a Master Password.


Expected results:

NEVER ASK for and NEVER SET a MASTER PASSWORD if it was never set!

Comment 1

3 years ago
If you create a fresh profile (see https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles) and you import the files storing the passwords (key and db), does it work normally?
Component: Untriaged → Password Manager
Flags: needinfo?(konzack.michelle)
Product: Firefox → Toolkit
(Reporter)

Comment 2

3 years ago
I created a profile as requested and have DONE NOTHING!

Not importing of previously saved passwords and certs.
The one from RIA (Estonian Digital ID Card) was stil there

I connected to the server http://eesti.ee/ and clicked on "Login" on the right uper side (the yellow button) and then selected "ID Card" to login.  It promped me immediately for the "Master Password" which I do not have...

Clicking "Cancel" give the message

----8<------------------------------------------------------------------
Secure Connection Failed

An error occurred during a connection to sisene.www.eesti.ee. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.
----8<------------------------------------------------------------------

Thanks for your fast reponse.
Flags: needinfo?(konzack.michelle)

Comment 3

3 years ago
I know FF39 has added some restrictions to SSL certificates, maybe there is something wrong with the card device.

It might have a regression in FF39. I don't know if you can do that on your machine, but you could install the devtool mozregression (see http://mozilla.github.io/mozregression/ for details) to find a regression range.
As it worked with FF38, just run "mozregression --good-release 38" and stop when the console output gives you the pushlog (no need to bisect).

If you can't install this program, you can do that manually by downloading Nightly builds as zip (standalone version to use with a custom profile by creating a Firefox shortcut with the path e.g.  C:\Users\<user>\Desktop\firefox\firefox.exe -P "test_profile" -no-remote).
Nightlies are available on the Mozilla FTP http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015/ in the folder "mozilla-central" for each day.

If you proceed by dichotomy, it's pretty fast to find the last good build and the first bad build.
(Reporter)

Comment 4

3 years ago
installed "mozregression-gui" but there is a Extension problem.

I can not try the Estonian Digital ID Card, because in nightly the extension which load the application is missing. in clear, if I go to http://eesti.ee/ and click login, the I get immediately the SSL Error because it can not load the application.

If I start Firefox 39.0, then the Extension is there...

However, I have not found the extension in my local firefox folder, so it must be installed systemwide where nightly can not access it.

It mean, testing is not possibel.

Any suggestions?

Comment 5

3 years ago
In your current profile, type about:addons in the location bar, you should find the name of this extension. Is the add-on available on http://eesti.ee/ ?

If yes, just create a fresh test profile, install the extension and run this custom profile with Mozreg. You can specify a custom profile in Mozreg: "mozregression --profile=/path/to/profile"
(Reporter)

Comment 6

3 years ago
The Add-On is a part of the Estonian Electronic ID Software and is NOT seperated.

However, the name is

    "Estonian ID Card authentication module 3.8.1.1056"

and the Plugin

    "EstEID Firefox plug-in 3.8.1.1116"

it should be availlable in one of the sourcecodes for GNU/Linux because I had to compile it for Debian Wheeze:

http://id.ee/index.php?id=34313

I have ask the HelpDesk <abi@id.ee> for support to get this running and I hope, I can get an XPI file for this Extension, which seems to be a JavaScript only which is a PCKS helper.

My best friend is working for the Estonian Ministry of Foreign Affaires (Diplomat in Strasbourg) and she told me, that the Estonian eID was NEVER working for her since at least 2 years but it seems, her Workstation has several bugs...

This happen, if the IT guys from the government dont know how to do there job correctly.

I try to get the guys on the table because theis bug sucks to much
(Reporter)

Comment 7

3 years ago
****, forgotten:

I have started Nightly with the "default" profile as I would start with Firefox,
but the Extension is NOT in Nightly visible, only in Firefox
(Reporter)

Comment 8

3 years ago
Another thing I have forgotten is:

I am working since February 2015 mobile and I depend on GSM
which mean, I could not update Firefox for several month.

Is it possibel to get the Nightly Stand-Alone Builds for

Firefox 34, 35, 36, 37 and 38?

I am not sure, but I was jumping with the version 39 over
several and it seems, the bug must be between 34 and 38.

Comment 9

3 years ago
Yes, all the releases of Firefox are available on the FTP:
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
Pick a release, the OS then the language.
(Reporter)

Comment 10

3 years ago
After installing Firefox backwards from 40.0b3over 39.0 up to 33.0 I am slightly sure that Firefox 39.0 has set a flag which screw up anything and it is OUTSIDE of the USER Profiles because now ALL VERSIONS I have tested have the same sympthomes.

However, if I SET the Master Password, e.g. "FuckOff" and try to use my Digital ID Card, I  get the Master Password dialog, enter it and get an SSL fail...

----8<------------------------------------------------------------------
An error occurred during a connection to sisene.www.eesti.ee. SSL peer
was unable to negotiate an acceptable set of security parameters. (Error
code: ssl_error_handshake_failure_alert)

    The page you are trying to view cannot be shown because the
    authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.
----8<------------------------------------------------------------------

I have tried to log in from a friends Computer using IE and it works perfectly on his Computer.

Then removing the Master Password and try it again, prompt the Master Password Dialog and nothing is working.

I have already tried to deinstall Firefox entirely and moved the Profiles folder from "AppData" out of the way, but the error comes back.

The Error mus be global installed and persist AFTER an uninstall from inside Windows.

Please can you tell me, where Firefox place files over the system?

There should be AFAIK a list of it and I will check it file-by-file.

OK, now I am tired and go sleeping. 60 hours on this problem are now enough.
(Reporter)

Comment 11

3 years ago
Here new info:

My freind has gotten her Digital ID Card arround 5 weeks ago and it immediatel stoped working on her Work-Computer and on her privste Asus eeePC (Windows too)

I can not check the Version of her eeePC, but it seems, the version on her Work-Computermust be 38 or 37.  I can ot check this before Monday 2015-07-19 (currently all peoples are in holliday).

I had version 34 or 35 on my computer and it stoped working with the update to 39 some days ago.

However, reinstalling of 33, 34 or 35 did not help.

ALL VERSIONS open the master Password Dialog, EVEN if in the Settings is "Master Password off" and if I WANT to set one I see in the Dialog "Not set".

Can it be, that the NEW Digital ID Card Software trigered something in Firefox, like seting and option, which now persist?

The Estonian HelpDesk <abi@id.ee> has already respond to me this morning and ask me for logfiles and screenshoots of my ID software, Firefox dialogs and more.

This Bug become worse, because there are now more the 20 known users affected...  Unfortunately I am the only one with (Unix/Linux) programming skills.
(Reporter)

Updated

3 years ago
Severity: normal → major
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64

Comment 12

3 years ago
I installed the this https://addons.mozilla.org/es/firefox/addon/est-pkcs11-load/

Versions:
Firefox 42.0 (last update November 4th 2015)
EstEID Firefox plug-in 1.20
Estonian ID Card PKCS11 module loader 3.11.0.6179 (Estonian ID Card authentication module)

When going to https://e-estonia.com/e-residents/welcome/ and hitting Entrance, I was prompted to select the Certificate, then a new window appeared for permissions, and the Master Password request appeared.

It looks like I blocked the Master Password prompt by entering it wrong too many times. I went to Firefox's Advance Preferences (about:preferences#advanced), clicked Security Devices and there I can see the card reader and the eID with the options to login, logout (greyed-out), change password... Tried to change the password by leaving it blank and entering a new one with no luck. Then realized that the ID-Card Utility for Mac was showing that the PIN1 was blocked and needed to reset it.

The Master Password for the eID (e-resident ID card e-estonia) IS the PIN1, the "hardware" PIN/password. Reset the PIN1 using the PUK in the ID-card Utility, went to https://e-estonia.com/e-residents/welcome/ and used the PIN1 as Master Password and was finally able to login.

The test site in the Welcome shows 'undefined', helpdesk says they are fixing it, received same answer on twitter. BUT I was able to login, the card now shows the logout button in the Security Devices section, and if I go to https://www.eesti.ee/eng/start I'm able to login.

Hope this huge message help anyone looking for answers on Google.


Relevant information I found while looking for answers regarding this issue:

http://news.postimees.ee/3348383/all-e-residents-got-faulty-cards

@kasparkorjus @cfarivar @KeberNeet @ronaldliive

BTW I'm completely unable to login using Safari or Chrome in Mac OSX Yosemite, despite following instructions and almost get it to work on Safari. The reason for Chrome might be the postimees.ee's article.

Comment 13

3 years ago
So is it fixed for the Estonian users of Firefox?
Whiteboard: [passwords:master-password]
You need to log in before you can comment on or make changes to this bug.