Closed
Bug 157224
Opened 23 years ago
Closed 22 years ago
RFE: allow override of invalid signature on SSL server certs
Categories
(Core Graveyard :: Security: UI, enhancement, P3)
Tracking
(Not tracked)
RESOLVED
INVALID
Future
People
(Reporter: nelson, Assigned: ssaux)
Details
This issue is with all versions of PSM in N6, N7 and Moz 1.0.
When SSL is verifying the cert chain of an SSL server cert, it may find
many problems with certs in the chain, such as a cert from an unknown
issuer, a cert from a known but untrusted issuer, or a cert with an
invalid signature. In the cases of unknown or untrusted issuers, PSM
allows the user to choose to trust the cert and continue with the operation.
In the case where the signature is invalid, PSM does not give the user this
choice. This is inconsistent.
| Reporter | ||
Comment 1•23 years ago
|
||
We also let the user accept expired certificates. So, the case of
the invalid signature seems to be the exception to the general rule
that PSM ordinarily allows users to accept/trust certs.
Updated•23 years ago
|
Priority: -- → P3
Version: unspecified → 2.3
| Assignee | ||
Comment 2•23 years ago
|
||
We need a consensus within the security team. Because any change would involve
some UI, this won't happen soon.
cc thayes.
Target Milestone: --- → Future
| Reporter | ||
Comment 3•23 years ago
|
||
The resolution to this bug may not require the addition of any new dialogs.
It may suffice to simply use an existing dialog in a place where it is not
now being used.
Comment 4•22 years ago
|
||
The case of an invalid signature is fundamentally different than the other cases
which currently allow the user to accept/trust certs. It is akin to the case of
a bad MAC on a SSL frame. It is a protocol failure, not a lack of trust, so
asking the user about trust is not appropriate.
Suggest closing INVALID.
| Reporter | ||
Comment 5•22 years ago
|
||
I agree.
Severity: normal → enhancement
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Summary: PSM inconsistent about letting users trust SSL server certs → RFE: allow override of invalid signature on SSL server certs
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•