security.enterprise_roots.enabled set to true causes password manager to "forget" all usernames & passwords

VERIFIED FIXED in Firefox -esr60

Status

()

defect
P1
normal
VERIFIED FIXED
a year ago
10 months ago

People

(Reporter: phoenixx_, Assigned: keeler)

Tracking

({dataloss, regression})

59 Branch
mozilla62
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr6061+ verified, firefox58 unaffected, firefox59+ wontfix, firefox60+ wontfix, firefox61 verified, firefox62 verified)

Details

(Whiteboard: [psm-assigned])

Attachments

(6 attachments)

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20171227220103

Steps to reproduce:

Have passwords etc stored in password manager with a master password set.
Set security.enterprise_roots.enabled to true
restart firefox
Press "saved logins..." button
all users and remembered passwords are empty
set security.enterprise_roots.enabled back to false
restart firefox
Press "saved logins..." button
all saved logins and passwords are back




Actual results:

security.enterprise_roots.enabled manages to hide all saved usernames and passwords with a master pwd set. 
These settings should not be related.


Expected results:

I should be able to view all my stored usernames and passwords even with enterprise_roots set.
If I disable I can't get out on internet, if I enable I can't see my passwords for sites.

Updated

a year ago
Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Comment 1

a year ago
this is reproducible and seems to have regressed by bug 1424392.
another symptom is that in good builds firefox asks you for your master password just when you're about to view saved logins. in broken builds after 1424392 there is already a box asking the master password at the start of the session.
Blocks: 1424392
Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: regression
Version: Trunk → 59 Branch

Updated

a year ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Password Manager → Security: PSM
Product: Toolkit → Core
keeler, can you take this on, or help find an owner? I don't know how common this might be on release, but from the severity of data loss (losing all passwords) I'm going to mark it a release blocker for now.
Flags: needinfo?(dkeeler)
Keywords: dataloss
I'd be happy to, but I can't reproduce this. :philipp - did you have to do anything special to reproduce the bug? I installed beta 59, set a master password, stored a username/password, set security.enterprise_roots.enabled to true (and made sure there was something to import), restarted Firefox, and it remembered the username/password just fine.
Flags: needinfo?(dkeeler) → needinfo?(madperson)

Comment 4

a year ago
no further special steps were involved unfortunately. i've tested it on a german windows 10 64bit OS with a new firefox profile on 59.0b5 and the same steps you've performed as well (i didn't have anything particular customizations in the windows cert store to import though).

in the buggy state i also get the following output in the browser console just after launching firefox:
>NS_ERROR_XPC_GS_RETURNED_FAILURE: Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService]  crypto-SDR.js:50
>Error: Initialization failed  storage-json.js:89:13
>NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS: [JavaScript Error: "Initialization failed" {file: "jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/storage-json.js" line: 89}]'[JavaScript Error: "Initialization failed" {file: "jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/components/storage-json.js" line: 89}]' when calling method: [nsILoginManagerStorage::initialize]  nsLoginManager.js:129
>[Exception... "Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService]"  nsresult: "0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE)"  location: "JS frame :: resource://gre/modules/XPCOMUtils.jsm :: XPCU_serviceLambda :: line 266"  data: no]  (unbekannt)
Flags: needinfo?(madperson)

Comment 5

a year ago
Posted file profile.zip
also attaching my test profile in the erroneous state in case it helps 
(master pw set is "123")
Just a guess but do you have any accented characters or spaces in your Fx profile folder path?
Flags: needinfo?(madperson)

Comment 7

a year ago
hm, i'm not able to reproduce it on another device indeed. i don't have the affected one with me at the moment, but on top of my head i'm sure that there aren't accents and fairly positive no spaces in the profile path either, but i will need to double-check that early next week.

Comment 8

a year ago
i have no special characters at all in the folder path after double-checking it. i can reproduce it on some devices but not others and couldn't detect any pattern there... is there anything more in particular i could try to diagnose/debug the issue?
Flags: needinfo?(madperson)
Andrei can your team try to reproduce this and if you can reproduce it, give us more STR? Thanks!
Flags: needinfo?(andrei.vaida)
Hi Liz!

I managed to reproduce this issue by following the steps in comment 0.

Note*: It seems that I can only reproduce this issue using Windows machines running on the following version: 10 Pro 1709 16299.192. I couldn't reproduce this issue on Windows 10 Pro 1703 15063877 version.

Steps:

1. Launch Firefox with a clean profile.
2. Create a Master Password.
3. Save some credentials (ex. from twitter).
4. Change the security.enterprise_roots.enabled to true.
5. Restart Firefox.

After performing the above steps, the master password is displayed as soon as the session starts, the saved passwords are not displayed and I also encountered the same error as Phillip in comment 4.
Flags: needinfo?(andrei.vaida)
Emil, can you go through those steps again with the environment variables MOZ_LOG=pipnss:4 and MOZ_LOG_FILE=%TEMP%\pipnss.log and attach the resulting file? (%TEMP%\pipnss.log) (I have Windows 10 Pro 1709 16299.15 and I still can't reproduce this behavior)
Thanks!
Flags: needinfo?(emil.ghitta)
Posted file pipnss.log
Hope this helps.
Flags: needinfo?(emil.ghitta)
Thanks! Judging by this line:

> [6556:Main Thread]: D/pipnss Imported 'AVG Web/Mail Shield Root'

You might have AVG installed on that machine. Is the web browsing protection feature enabled? If so, can you still reproduce this if you disable it? (Or maybe disable AVG entirely?)
Flags: needinfo?(emil.ghitta)
My bad (I verified on 2 machines, thinking that one had Kaspersky and the other one had AVG installed. But it turned out that both machines had AVG installed).

Indeed,this issue seems to reproduce on machines with AVG 17.9.3040 installed. It seems that disabling the Web&Email protection (Disabling both Web Shield and Email Shield) or disabling AVG entirely solves this issue. 

I attached another log (in case you need it).
Flags: needinfo?(emil.ghitta)

Comment 15

a year ago
Posted file pipnss.log -no av
i'm attaching the log from one of my affected devices (without any particular av software other than windows defender) as well in case it helps.
Thanks, Emil! According to this https://support.avg.com/answers?id=9060N000000U6ILQA0 the 18.2 update might fix the issue - can you check?

Philipp - is there anything else that might differentiate your affected devices? There's nothing that really jumps out at me from that log...
Flags: needinfo?(emil.ghitta)
Flags: needinfo?(madperson)

Comment 17

a year ago
(In reply to David Keeler [:keeler] (use needinfo) from comment #16)
> Philipp - is there anything else that might differentiate your affected
> devices? There's nothing that really jumps out at me from that log...

nothing that i can think of unfortunately (tried to recreate the same username/profile paths to replicate the issue on unaffected devices but without any effect). one affected laptop is fairly fresh out of the box - there are no customizations or third party software that would interfere with certificate management at all :-/

if there's anything else i can try to debug the issue please let me know.
Flags: needinfo?(madperson)
(Reporter)

Comment 18

a year ago
Have to systems having the same bug (using the same profile path - but as soon as I recreate a new profile path the bug still occurs).

So some additional info regarding the systems (as the original reporter):
Uses McAfee AV (enterprise)
Also uses (system) proxy - (ie no direct connection to internet)
It seems that the 18.2 update for AVG is not available for Windows 10 (for now at least).

I'll keep an eye on the AVG update to see if that solves the issue, in the meanwhile I'll try reproducing it on machines that don't have AVG installed.
Flags: needinfo?(emil.ghitta)
keeler, does this help? It still sounds serious, since we can reproduce it with AVG consistently.
Flags: needinfo?(dkeeler)
I'll see if I can reproduce on my machine now that we have more details. However, I don't think the odds are good we'll be able to do much to protect against various av products messing with our certificate databases - the solution might be to have them fix their implementations.
Flags: needinfo?(dkeeler)
Lukas, I wonder if your team can take a look at this issue.
Flags: needinfo?(rypacek)
Duplicate of this bug: 1439317
On further discussion it sounds like we don't ship with this preference on by default. That makes this more of an edge case, and users can recover from it by flipping the pref back.  

So, I no longer consider this to block 59.

Comment 25

a year ago
curiously i cannot reproduce the issue anymore on two win10 devices without particular av software that were consistently showing the issue before, perhaps some external windows/defender update played a role in this.

on other new lenovo notebooks the issue seems to be reproducible when "intel online connect" software is present there:
https://support.lenovo.com/us/en/downloads/ds500906
https://www.intel.com/content/www/us/en/security/online-connect.html
So it seems that AVG updated to 18.2.3046 on my Windows 10 machine.

Unfortunately this issue is still reproducible by following the steps mentioned in comment 10.
Is this something we should be worrying about for ESR60?  (I'm suspecting those users are more likely to be using local/enterprise roots)
Flags: needinfo?(dkeeler)
Yes, we should probably try and fix this for ESR60. The problem is I still can't reproduce this. Emil - is there some way of getting me a vm image or maybe even physical machine that this reproduces on?
Flags: needinfo?(dkeeler) → needinfo?(emil.ghitta)
Sure thing! We shall discuss this in private.
Flags: needinfo?(emil.ghitta)
Did you have any luck reproducing?
Flags: needinfo?(dkeeler)
Yes - I've reproduced the bug on the machine I've been given access to. The logs aren't elucidating, so I'll probably have to make some custom builds and dig a bit deeper. Haven't had time to complete that yet. I'll keep everyone updated with my progress.
Flags: needinfo?(dkeeler)

Comment 32

a year ago
This problem is happening with a banking security module called Warsaw (www.dieboldnixdorf.com.br/gas-antifraude), used by some banks in Brazil. The module forces "security.enterprise_roots.enabled" to true. If I switch back to false, there is no possibility to log in to the bank's website.
[Tracking Requested - why for this release]: security.enterprise_roots.enabled is more likely to be enabled on ESR (we have an enterprise policy for it IIRC)

Comment 34

a year ago
we got multiple support requests form users about this in the past couple of days that were using bullguard antivirus-software. apparently that product now flips the pref too.
Comment hidden (mozreview-request)
Assignee: nobody → dkeeler
Priority: -- → P1
Whiteboard: [psm-assigned]

Comment 36

a year ago
This appears to be a broader issue with "managed" machines, at least on Macs. My company uses VMware AirWatch. Brand-new laptop, fresh install of Firefox 59.0.2. Copied over the contents of the active profile folder from the previous laptop (old, Win7, Firefox 59.0.3) as I have done every time I've moved to a new machine since the Mozilla 0.9 days 15 years ago. I have moved between Windows and OS X/macOS, and vice-versa successfully, countless times. Yet this time, I was not prompted for the Master Password for saved logins from the very first launch of Firefox on the new machine. Took a fair amount of Googling to arrive at this bug report. I have verified the same behavior with Nightly as well, so it doesn't appear to be restricted to ESR builds as suggested in Comment #33 above.
Comment on attachment 8974207 [details]
bug 1427248 - avoid changing certificate trust in nsNSSComponent initialization

https://reviewboard.mozilla.org/r/242500/#review248424

Looks good. Thanks.
Attachment #8974207 - Flags: review?(franziskuskiefer) → review+
(In reply to pavanraj from comment #36)
> This appears to be a broader issue with "managed" machines, at least on
> Macs.

The feature causing the issue in this bug isn't available on OS X, so the root cause probably won't be the same as what's causing the failures for you. Please file a new bug with as much detail as you can share: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM
Flags: needinfo?(pavanraj)
Comment on attachment 8974207 [details]
bug 1427248 - avoid changing certificate trust in nsNSSComponent initialization

https://reviewboard.mozilla.org/r/242500/#review248742

r+, though I am opinionated below. :)

::: security/manager/ssl/nsNSSComponent.cpp:954
(Diff revision 1)
>  
> +NS_IMETHODIMP
> +nsNSSComponent::TrustLoaded3rdPartyRoots()
> +{
> +#ifdef XP_WIN
> +  MutexAutoLock lock(mMutex);

I'm not a big fan of how `TrustLoaded3rdPartyRoots` and `UnloadFamilySafetyRoot` both lock `mMutex` themselves, but `UnloadEnterpriseRoots` and `ImportEnterpriseRootsForLocation` defers it to the caller, asking for a proof of lock.

I am guessing it's a minor optimization to avoid locking the mutex on `ifdef`'d out platforms. I'm not sure that rare occasion the pref changes or whatnot is worth the maintenance inconsistency here.
Attachment #8974207 - Flags: review?(jjones) → review+
Eh, more of an oversight, really. It doesn't make sense for UnloadEnterpriseRoots to take a lock proof because it's not called in a context where we already have a lock any longer. For ImportEnterpriseRootsForLocation I think it still makes sense, though, since it's being called three times in a row.
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 44

a year ago
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0693ec09dd68
avoid changing certificate trust in nsNSSComponent initialization r=fkiefer,jcj
Backed out changeset 0693ec09dd68 (bug 1427248) for bustage at build/src/security/manager/ssl/nsNSSComponent.cpp on a CLOSED TREE 

Backout: https://hg.mozilla.org/integration/autoland/rev/4defb0651db031c090f6805ccccf143753c81c57

Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=0693ec09dd681c54f3e0c8c64ec4dbc4916d10a1

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=177937449&repo=autoland&lineNumber=32910

[task 2018-05-10T20:15:08.720Z] 20:15:08     INFO -  Running: /builds/worker/workspace/build/src/obj-firefox/_virtualenvs/init/bin/python /builds/worker/workspace/build/src/toolkit/crashreporter/tools/symbolstore.py -c --vcs-info --install-manifest=/builds/worker/workspace/build/src/obj-firefox/_build_manifests/install/dist_include,/builds/worker/workspace/build/src/obj-firefox/dist/include -s /builds/worker/workspace/build/src /builds/worker/workspace/build/src/obj-firefox/dist/host/bin/dump_syms /builds/worker/workspace/build/src/obj-firefox/dist/crashreporter-symbols /builds/worker/workspace/build/src/obj-firefox/security/nss/lib/ssl/ssl_ssl3/libssl3.so
[task 2018-05-10T20:15:08.720Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/security/nss/lib/ssl/ssl_ssl3'
[task 2018-05-10T20:15:08.720Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.720Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.721Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.722Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.746Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/security/manager/ssl'
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  /builds/worker/workspace/build/src/sccache2/sccache /builds/worker/workspace/build/src/gcc/bin/g++ -o Unified_cpp_security_manager_ssl1.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES=True -DNSS_ENABLE_ECC=True '-DDLL_PREFIX="lib"' '-DDLL_SUFFIX=".so"' -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/security/manager/ssl -I/builds/worker/workspace/build/src/obj-firefox/security/manager/ssl -I/builds/worker/workspace/build/src/dom/base -I/builds/worker/workspace/build/src/dom/crypto -I/builds/worker/workspace/build/src/security/certverifier -I/builds/worker/workspace/build/src/security/pkix/include -I/builds/worker/workspace/build/src/obj-firefox/dist/public/nss -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wduplicated-cond -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fno-omit-frame-pointer -Werror -Wextra -Wno-missing-field-initializers -Wno-unused-parameter  -MD -MP -MF .deps/Unified_cpp_security_manager_ssl1.o.pp   /builds/worker/workspace/build/src/obj-firefox/security/manager/ssl/Unified_cpp_security_manager_ssl1.cpp
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  In file included from /builds/worker/workspace/build/src/obj-firefox/security/manager/ssl/Unified_cpp_security_manager_ssl1.cpp:137:0:
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  /builds/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:824:20: error: 'kEnterpriseRootModePref' defined but not used [-Werror=unused-variable]
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -   static const char* kEnterpriseRootModePref = "security.enterprise_roots.enabled";
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -                      ^~~~~~~~~~~~~~~~~~~~~~~
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  cc1plus: all warnings being treated as errors
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  /builds/worker/workspace/build/src/config/rules.mk:1030: recipe for target 'Unified_cpp_security_manager_ssl1.o' failed
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  make[4]: *** [Unified_cpp_security_manager_ssl1.o] Error 1
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/security/manager/ssl'
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  /builds/worker/workspace/build/src/config/recurse.mk:73: recipe for target 'security/manager/ssl/target' failed
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  make[3]: *** [security/manager/ssl/target] Error 2
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  make[3]: *** Waiting for unfinished jobs....
[task 2018-05-10T20:15:08.748Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.749Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.749Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.749Z] 20:15:08     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
[task 2018-05-10T20:15:08.883Z] 20:15:08     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/media/webrtc/trunk/gtest'
Flags: needinfo?(dkeeler)
Comment hidden (mozreview-request)
Ok - I consolidated the windows-specific things so we should have less of this from now on.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=eef21748a2f3a085d86d1ac34bdd08e53d38921d
Flags: needinfo?(dkeeler)

Comment 48

a year ago
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/33ae17f18193
avoid changing certificate trust in nsNSSComponent initialization r=fkiefer,jcj

Comment 49

a year ago
(In reply to David Keeler [:keeler] (use needinfo) from comment #38)
> (In reply to pavanraj from comment #36)
> > This appears to be a broader issue with "managed" machines, at least on
> > Macs.
> 
> The feature causing the issue in this bug isn't available on OS X, so the
> root cause probably won't be the same as what's causing the failures for
> you. Please file a new bug with as much detail as you can share:
> https://bugzilla.mozilla.org/enter_bug.
> cgi?product=Core&component=Security%3A%20PSM

Thank you! Turns out there was something in the Windows 7 profile folder that wouldn't work on the Mac. Everything worked when I copied over just the key4.db file.
Flags: needinfo?(pavanraj)

Comment 50

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/33ae17f18193
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Flags: qe-verify+
This issue is no longer reproducible using Firefox 62.0a1 (BuildId:20180514220126) by following the steps mentioned in comment 10.

It seems that the saved passwords are successfully displayed. Tested using the following AV's on Windows 10 64bits:
- AVG Internet Security (18.4.3056)
- Kaspersky Endpoint Security 10 (10.3.0.6294)
- McAfee Total Protection (16.0 R7)
- BullGuard Internet Security (18.1.35.1.4)
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Thanks for the verification, Emil!

David, I think we're ready for Beta/ESR60 approval requests here? It grafts cleanly to Beta as-landed, but will need a rebased patch for ESR60.
Flags: needinfo?(dkeeler)
Comment on attachment 8974207 [details]
bug 1427248 - avoid changing certificate trust in nsNSSComponent initialization

Approval Request Comment
[Feature/Bug causing the regression]: bug 1265113, but ultimately a long-standing issue
[User impact if declined]: users can't use enterprise roots and a master password at the same time if av software decides to intercept loading any uri and make a network request
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: yes - see comment 10
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not very
[Why is the change risky/not risky?]: the fix is fairly easy - we just defer trusting 3rd party roots until a later event loop tick
[String changes made/needed]: none
Flags: needinfo?(dkeeler)
Attachment #8974207 - Flags: approval-mozilla-beta?
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: this addresses a feature relevant to enterprise situations, where esr is more likely to be used
User impact if declined: users can't automatically import enterprise roots if they also have a master password set and av software intercepts loading URIs
Fix Landed on Version: 62
Risk to taking this patch (and alternatives if risky): in theory an https load that relied on trusting an enterprise root could finish (and thus fail) before the event tick that trusts imported roots, but I think this is unlikely (the network would have to be very fast and the client would have to be very slow). In any case, if this happens, the user can just refresh the page and it should work.
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8975998 - Flags: approval-mozilla-esr60?
Comment on attachment 8974207 [details]
bug 1427248 - avoid changing certificate trust in nsNSSComponent initialization

Pretty nasty issue for users under reasonably common use cases, approved for 61.0b6.
Attachment #8974207 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
This issue is verified fixed using Firefox 61.0b6 (BuildId:20180517141400) on Windows 10 64bit as well. Used the same AV's mentioned in Comment 51.
Flags: qe-verify+
Comment on attachment 8975998 [details] [diff] [review]
patch for esr60

fix an issue when using enterprise roots, approved for 60.1esr
Flags: needinfo?(rypacek)
Attachment #8975998 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
The issue is verified as fixed using Firefox 60.1.0 ESR build.

The passwords are successfully displayed after the restart. I have tested using the following AV's on Windows 10 64bit and 32bit:
  - Kaspersky v10.3.6294
  - AVG Internet Security v18.4
  - Avast v18.4.2338
  - McAfee Total Protection v16.0
  - BullGuard Internet Security v18.1
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.