Closed
Bug 1234112
Opened 8 years ago
Closed 3 years ago
once the user overwrite certificate trustbits, he doesn't get any removals of those from Mozilla
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: calestyo, Unassigned)
References
Details
Hey. (Also applies to Thunderbird). One of the many problems with Mozilla's certificate handling is the following: If a security conscious user goes through the list of CAs and removes trust bits from built-in objects, e.g. say he doesn't trust certain CAs to sign software, let's take one of the CAs from totalitarian countries as an example.... then it seems that the full set (web/mail/software) of trustbits is stored in the cert store (as e.g. certutil -L shows). The problem with that is now the following: Going through https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport seems, that Mozilla regularly removes certain of the trust bits (indicated by e.g. "Websites trust bit turned off in Firefox 32" in one of the columns). Because of the above, any users who re-set their trust bits, just with the intend of removing some of them, won't get these updates. Because of bug #1078764, there is not even a warning, that something on the built-in cert store had been changed, so that the user could start to evaluate. Marking as major, because this may easily have security implications. Cheers, Chris.
Comment 1•3 years ago
|
||
Marking this as Resolved > Incomplete since the last activity on this issue was many years ago and it might not be relevant anymore. Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•