Closed Bug 1483184 Opened 7 years ago Closed 7 years ago

Certificate Export doesn't set "Mark of the Web" (MotW) on exported cert

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: xiaoyin.l, Unassigned)

Details

Steps to reproduce: 1. Right click on this page. Click "View Page Info" 2. On the "Page Info" window, go to Security. Then click "View Certificate" 3. On the "Certificate Viewer" window, open Details tab. Click Export. Then save it. 4. Open the saved certificate. Expected behavior: Windows should show a Security Warning that this file may be unsafe to open. Actual behavior: the certificate dialog box shows up right away. This is because Firefox doesn't set Mark of the Web on the exported .crt file. Edge sets MotW on exported certs. Chromium sends full ping to Safe Browsing before downloading a .crt file [1], indicating that .crt files are potentially dangerous. So I think Firefox should also set MotW on exported .crt files. [1] https://github.com/chromium/chromium/blob/092a8aa67d157dc68a1368d36a642d0d485f571e/chrome/browser/resources/safe_browsing/download_file_types.asciipb#L1734-L1742
Severity: enhancement → normal
Paolo, should this go to the Downloads component? :)
Flags: needinfo?(paolo.mozmail)
No, when a "crt" file is downloaded we already consider this as an executable file type. I suppose this extension is in the list because installing arbitrary certificates is potentially dangerous and users may not be aware of the effects. In this case, however, I can assume that users who reach this dialog pretty much know what they're doing, and there's no point in marking the exported file as coming from the Internet zone. If other browsers do this, it is likely an implementation detail, or maybe their developers consider their specific user interface as more easily prone to misuse than I would with the Firefox interface. If anyone was just following deceptive instructions for Firefox to get the certificate installed and they reach this point, an extra warning after the file is saved would not make a difference. The right component is probably "Security: PSM". I'd say this is WONTFIX, but I'll leave the decision to the triage owners of the component.
Group: firefox-core-security → core-security
Component: Page Info Window → Security: PSM
Flags: needinfo?(paolo.mozmail)
Product: Firefox → Core
Group: core-security → crypto-core-security
keeler, can you take a look? Thanks.
Flags: needinfo?(dkeeler)
My sense is that if a user is tricked into following steps 1-4 they're going to also click "yes I want to run this", so I don't see the point of adding the motw in this case. Furthermore, if a user can actually follow those steps to save a certificate, there's no danger to a user "running" it because it's already been verified as a trusted certificate (note that there are other ways to get and save a certificate that isn't trusted in Firefox, but again, that involves jumping through UI hoops, and if you can convince a user to do that, I don't see how the motw will help).
Group: crypto-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.