Closed Bug 1277240 Opened 6 years ago Closed 6 years ago

The Microsoft Family Safety certificate is still imported in the Authorities tab in the Certificate Manager

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox49 --- fixed

People

(Reporter: simona.marcu, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160531030258

[Affected versions]:
- Nightly 49.0a1

[Affected platforms]:
- Windows 8.1

[Prerequisites]:
- have a Microsoft Child Account set up and running
- Install the latest Nightly on the Admin account

[Steps to reproduce]:
1. Log in on the Child Account
2. Launch Firefox with a new profile
3. Go to about:config, add the preference "security.family_safety.mode" and set it to "2"
4. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate
5. Navigate to Facebook
6. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate
7. Close Firefox
8. Reopen Firefox
9. Navigate to Facebook again
10. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate

[Expected result]:
The Mozilla Family Safety certificate should not be imported into the Certificate Manager. Navigating to HTTPS sites should be allowed.

[Actual result]:
Navigation to Facebook in step 5 is not allowed -> the Insecure Connection message is displayed. 
In step 6, the Microsoft Family Safety certificate shows as imported into the Certificate Manager.
After restarting Firefox the Microsoft Family Certificate is no longer present into the Certificate Manager and navigation to Facebook is allowed.

[Regression range]:
- I'll investigate and post the results as soon as possible.
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Comment on attachment 8759359 [details]
bug 1277240 - don't import trust anchors in SaveIntermediateCerts

https://reviewboard.mozilla.org/r/57346/#review54266

Looks good!
(Although I leave it to simonab to confirm this fully fixes the issue.)

::: security/certverifier/NSSCertDBTrustDomain.cpp:1103
(Diff revision 1)
>  
>    return NS_ERROR_FAILURE;
>  }
>  
>  void
>  SaveIntermediateCerts(const UniqueCERTCertList& certList)

Maybe we should document that certList must always be a verified chain with the trust anchor at the tail, just so it's clear that the change here is correct.
Attachment #8759359 - Flags: review?(cykesiopka.bmo) → review+
https://reviewboard.mozilla.org/r/57346/#review54266

Thanks!

> Maybe we should document that certList must always be a verified chain with the trust anchor at the tail, just so it's clear that the change here is correct.

Sounds good.
Comment on attachment 8759359 [details]
bug 1277240 - don't import trust anchors in SaveIntermediateCerts

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/57346/diff/1-2/
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb3f64c79e83
don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
https://hg.mozilla.org/mozilla-central/rev/eb3f64c79e83
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.