Master password dialog shown repeatedly when visiting a site that requests a client certificate
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: mayfield+bugzilla, Unassigned)
Details
Attachments
(1 file)
|
152.62 KB,
image/png
|
Details |
Example profile screenshot showing the stack
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Steps to reproduce:
User Agent Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Build ID 20200602222727
- I have a master password set but I moved all of my credentials to an external password manager last year so FF's password db no longer contains any passwords.
- I also do not have 'sync' enabled
- I visited the following URL: https://ww3.rainbird.com/homeowner/support/video-RotorArcAdjust.htm
Actual results:
While loading that website, FF requests the master password. If I cancel the password dialog, another one appears. In total, FF requests the password 6 times while loading that website.
I then restarted FF in safe mode and enabled debug-logging for the password manager to see if anything interesting was happening. One thing that stood out were dozens of "STATE_IS_BROKEN without a known reason" messages. However, none of the log messages seemed to correlate with the appearance of the password dialogs.
09:17:59.539 STATE_IS_BROKEN without a known reason. Full state was: 1 ThreadSafeDevToolsUtils.js:82:13
09:17:59.636 This site uses a deprecated version of TLS that will be disabled in March 2020. Please upgrade to TLS 1.2 or 1.3.
...
...
Expected results:
There are no passwords stored in FF's password database so FF should not be requesting the master password.
|
||
Comment 1•5 years ago
|
||
(In reply to Jimmie Mayfield from comment #0)
- I have a master password set but I moved all of my credentials to an external password manager last year so FF's password db no longer contains any passwords.
Hello,
- Can you confirm that your
logins.jsonfile in the Firefox profile folder has no logins (logins: [])? It's possible it still has logins that cannot be decrypted and therefore aren't shown in about:logins. - If you rename that file when Firefox is shutdown does the problem go away?
|
Reporter | |
Comment 2•5 years ago
|
||
Hi.
-
Interestingly, logins.json contains a number of logins even though about:logins shows none. That's a bit concerning, I suppose.
-
Closing Firefox then moving logins.json to the parent directory and finally starting Firefox again had no effect. I'm still prompted 6 times for the master password. Is there a backup file somewhere in the profile directory that Firefox might be using? (The timestamps of other files in the profile directory suggests that this really is the correct profile directory.)
|
|
||
Comment 3•5 years ago
|
||
(In reply to Jimmie Mayfield from comment #2)
- Interestingly, logins.json contains a number of logins even though about:logins shows none. That's a bit concerning, I suppose.
This can happen if you ever messed with key3.db/key4.db files in your profile folder or have a mismatch between logins.json files and the key*.db file that was used to encrypt the logins.
- Closing Firefox then moving logins.json to the parent directory and finally starting Firefox again had no effect. I'm still prompted 6 times for the master password.
Hmm… can you also try uncheck "Ask to save logins and passwords…" at about:preferences#privacy-logins and see if the problem still happens. If not then this isn't a master password issue and is probably related to client certificates.
Is there a backup file somewhere in the profile directory that Firefox might be using? (The timestamps of other files in the profile directory suggests that this really is the correct profile directory.)
No, not yet. We are currently working on that.
|
|
Reporter | |
Comment 4•5 years ago
|
||
Hmm… can you also try uncheck "Ask to save logins and passwords…"
It was already unchecked. In case that a flag had become stuck, I checked it and then unchecked it and tried to load that URL again and got the same results. Firefox again asked for the master password.
I'm not sure I understood your comment about client certificates. Do client cert issues typically cause Firefox to request the master password (eg. is the master password used for things other than encrypting credentials) ?
|
|
||
Comment 5•5 years ago
|
||
(In reply to Jimmie Mayfield from comment #4)
Hmm… can you also try uncheck "Ask to save logins and passwords…"
It was already unchecked. In case that a flag had become stuck, I checked it and then unchecked it and tried to load that URL again and got the same results. Firefox again asked for the master password.
OK, so this isn't a password manager issue then.
I'm not sure I understood your comment about client certificates. Do client cert issues typically cause Firefox to request the master password (eg. is the master password used for things other than encrypting credentials) ?
Yes, client certificates are also protected by Master Password (maybe even smart cards too?). Do you use them? Why do you have the master password on if you didn't think it was protecting anything?
If you load the URL chrome://pippki/content/certManager.xhtml then you can see "Your Certificates". Do you see any there?
|
|
Reporter | |
Comment 6•5 years ago
|
||
Why do you have the master password on if you didn't think it was protecting anything?
I used to have a couple dozen passwords stored in the Firefox password manager. About 6 months to a year ago, I began using an external manager and, as part of that transition, deleted all of my logins from the Firefox password manager (or so I thought...the contents of logins.json suggest that at least some of those endured). Afterwards I left the master password enabled mostly as an oversight.
I also realize that I could disable the master password and this issue would likely evaporate. But if it's indicative of a problem, I figured it would be best to inquire about it rather than turn it off and hide it.
If you load the URL chrome://pippki/content/certManager.xhtml then you can see "Your Certificates". Do you see any there?
"Your Certificates" and "People" show nothing.
I DO see a few certs in the "Servers" list that correspond to some devices on my local network that (presumably) I've created permanent exceptions for...a network printer, a CUPS daemon, etc.
|
|
||
Comment 7•5 years ago
•
|
||
Ok, do you use a smart card?
Did you ever use Sync in the past? Are values of services.sync.account or services.sync.username set (they will look bold) in about:config?
|
|
Reporter | |
Comment 8•5 years ago
|
||
Ok, do you use a smart card?
No.
Did you ever use Sync in the past? Are values of services.sync.account or services.sync.username set (they will look bold) in about:config?
I vaguely remember playing with Sync when it was first announced (I think it used a different name at the time?). I think that was on a different machine, though.
Near as I can tell, neither of those keys exist in about:config.
(Thanks, by the way, for taking the time to investigate this)
|
|
||
Comment 9•5 years ago
|
||
Would you be comfortable using a native code debugger (e.g. GDB) if I give you instructions with commands to run? Can you confirm the problem still happened in safe mode?
|
|
Reporter | |
Comment 10•5 years ago
|
||
Sure. I'm very familiar with gdb. Though I've never built Firefox before...
Yes, the problem happens in safe mode. I also created a new userid on the system with an empty profile and verified that it still happened so it doesn't appear to be tied to anything in my profile.
|
|
||
Comment 11•5 years ago
•
|
||
Hello, I realized you can probably use the built-in profiler for this case so then you get both JS and native code stacks together.
- Install Firefox Nightly. Restart Firefox to ensure you're logged out of Master Password. Ideally close any tabs that you wouldn't want including in a profile (or test in a new profile).
- Go to https://profiler.firefox.com/ and follow instructions to enable the profiler toolbar button. Memorize the keyboard shortcut to "Capture and Load profile" to use in step 6.
- Choose the "Firefox Platform" preset in in profiler toolbar panel.
- Click Start Recording
- Open https://ww3.rainbird.com/homeowner/support/video-RotorArcAdjust.htm as you normally do to trigger the MP dialog.
- Once the MP dialog appears, cancel it or authenticate.
- Press the keyboard shortcut from step 2 (probably Ctrl+Shift+2). A new tab will open after a second containing a profile of the code that ran while it was recording.
- Select the Parent Process track at the top
- On the Call Tree tab filter for
PK11PasswordPromptthen ensure there are still stack frames showing below. If not, record again at step 4 but with a lower sampling interval by clicking "Edit Settings…" in the Profiler panel. - Click the green "Publish…" option in the top-right of the page with the profile
- Check whatever boxes you are comfortable with and then share the URL with me in the bug or email depending on whether there is sensitive data in the profile. I only need the Parent Process track to get the stack for how the MP was triggered.
Thanks in advance!
EDIT: I didn't realize that "Native Stacks" aren't on release Firefox so you need to do these steps in Firefox Nightly
|
|
||
Comment 12•5 years ago
|
||
I can reproduce these repeated Primary Password prompts when clicking the Enable TLS 1.0/1.1 button. Are we maybe storing/querying state in cert*.db then and need to encrypt/decrypt?
|
||
Comment 13•5 years ago
|
||
The server is requesting a client certificate, so Firefox queries for private keys, which involves unlocking the softoken, which in this case has a password.
|
|
||
Comment 14•5 years ago
|
||
There's not much we can do here. Eventually we'd like to be in a situation where there doesn't need to be a primary password on the softoken because it doesn't store anything sensitive, but that work will happen in many other bugs.
|
||
Updated•5 years ago
|
Description
•