Closed Bug 1613443 Opened 5 years ago Closed 4 years ago

built-in distrusted certificates should not be shown in the "servers" tab of the certificate manager

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1645492

People

(Reporter: mozsecurity, Unassigned)

Details

(Whiteboard: [psm-backlog])

Attachments

(2 files)

diginotar_server.jpg
56.12 KB, image/jpeg
Details
diginotar_nottrusted_where.jpg
70.36 KB, image/jpeg
Details
Attached image diginotar_server.jpg

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Opened the certificate manager (on a Firefox version which had been updated many times).

Actual results:

There are Diginotar certificates and I can't verify that they are not trusted.

Expected results:

Some verification message proofing that these certificates are in fact untrusted and only there to prevent them to be imported and trusted.

Assignee: nobody → wthayer
Component: Untriaged → CA Certificate Compliance
Product: Firefox → NSS
QA Contact: wthayer
Version: 72 Branch → other

Dana: can you help explain the issue here?

Flags: needinfo?(dkeeler)

This looks like the same issue as bug 829677, or at least solving that bug would also solve the issue here.

I would say it is not necessary to remove them (as they serve the purpose of blocking "fraudulent" certificates), but it would be helpful to show the user that these aren't trusted (i.e. have their title being written in red and show red "here for preventing the certificate to be trusted , don't remove" under the title on the details).

Currently one could think that someone wants to spy on the user as they seem to be trusted for all servers in the UI. Maybe the text in the server column should be changed from showing * to "none (certificate revoked)" or something like this.

There is also bug 733716 which is about improving the UI of the certificate manager.

Those are left over from the DigiNotar incident. My understanding is NSS used to store a copy of the certificate along with the distrust record (when in theory all that's needed is the distrust record). We shouldn't even be showing those kinds of certificates in that tab.

Assignee: wthayer → nobody
Type: defect → enhancement
Component: CA Certificate Compliance → Security: PSM
Flags: needinfo?(dkeeler)
Product: NSS → Core
QA Contact: wthayer
Summary: Diginotar certificates in server tab of certificate manager and not shown as untrusted → built-in distrusted certificates should not be shown in the "servers" tab of the certificate manager
Version: other → unspecified

If I understand the comments on the other bugs correctly the shown certificates aren't real DigiNotar certificates, but dummy certificates (invalid signature and higher serial number) as a quirk to prevent the real ones to be imported by incident.

In my opinion the UI should be improved to show whether the certificates are being trusted or not. The current certificate detail UI is hiding some details from other certificates too (i.e. DNS naming constraints). I think the former UI showed more details of a certificate (but maybe I remember the Windows certificate UI).

Priority: -- → P3
Whiteboard: [psm-backlog]
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: