Closed Bug 1234112 Opened 8 years ago Closed 3 years ago

once the user overwrite certificate trustbits, he doesn't get any removals of those from Mozilla

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: calestyo, Unassigned)

References

Details

Hey.

(Also applies to Thunderbird).

One of the many problems with Mozilla's certificate handling is the following:

If a security conscious user goes through the list of CAs and removes trust bits from built-in objects, e.g. say he doesn't trust certain CAs to sign software, let's take one of the CAs from totalitarian countries as an example.... then it seems that the full set (web/mail/software) of trustbits is stored in the cert store (as e.g. certutil -L shows).

The problem with that is now the following:
Going through https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport seems, that Mozilla regularly removes certain of the trust bits (indicated by e.g. "Websites trust bit turned off in Firefox 32" in one of the columns).

Because of the above, any users who re-set their trust bits, just with the intend of removing some of them, won't get these updates.

Because of bug #1078764, there is not even a warning, that something on the built-in cert store had been changed, so that the user could start to evaluate.

Marking as major, because this may easily have security implications.


Cheers,
Chris.
See Also: → 1078764

Marking this as Resolved > Incomplete since the last activity on this issue was many years ago and it might not be relevant anymore. Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.