Closed Bug 1645492 Opened 5 years ago Closed 5 years ago

New Certificate Viewer does not show "distrusted" state for DigiNotar root cert and others

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- fixed
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fixed

People

(Reporter: dveditz, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Keywords: regression, Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1645492 - only show certificates with corresponding error overrides in the "Servers" tab of the certificate manager r?kjacobs
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-esr78+
Details | Review

NSS ships with a number of explicitly distrusted certs, such as DigiNotar's root. This fact is no longer shown in the Certificate Viewer which leads people to think we are shipping with valid certs for entities for which there was a huge public scandal.

STR:

  1. open about:preferences
  2. select "Privacy & Security" tab
  3. scroll down and click the "View Certificates..." button
  4. click the "Servers" tab
  5. Select and "View..." the DigiNotar Root CA

Expected result:
Some indication that this CA can't be used. The Old UI used to have the string "This certificate could not be verified because it is not trusted." at the top, which wasn't very noticeable, but better than nothing. It was squeezed in with limited space on the old UX; we could probably do better (angry red border? <blink> ?)

Actual Result:
Shows the cert details as normal, looks like any other valid root CA

Example of user concern seen in #security:mozilla.org on Matrix

hello. i have 2 certificates with * in server column, in server tab, in certificates window of firefox. does not it mean that these certificates may work on any domain?!
i have googled by its name and see that seems that certificates are canceled: https://en.wikipedia.org/wiki/DigiNotar , may be , for that, firefox moved them to the "server" section?
if the problem was in 2011, how that certificate appeared here in 2020? i installed firefox several weeks or months ago and i do not copy certificate files from previos installation.

Blocks: cert-viewer
Severity: -- → S3
Priority: -- → P3

We shouldn't even be displaying those certificates.

Assignee: nobody → dkeeler
Component: Security → Security: PSM
Priority: P3 → P1
Product: Firefox → Core
Whiteboard: [psm-assigned]

Before this patch, the "Servers" tab of the certificate manager would show
built-in distrust records that had corresponding certificates (lately, this has
only consisted of two DigiNotar look-alike roots that were added many years ago
to block the real DigiNotar roots and potential cross-signs).
This patch changes the implementation to only show certificates that actually
have a corresponding error override in the "Servers" tab.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8f2f35a7f36d only show certificates with corresponding error overrides in the "Servers" tab of the certificate manager r=kjacobs

https://hg.mozilla.org/mozilla-central/rev/8f2f35a7f36d

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

Not sure this is something that needs a last-minute uplift to Beta for Fx79 if it's been an issue since we shipped the new cert viewer in 71, but I'm thinking we might want to consider taking this on ESR78 during the next cycle since this could be more problematic for users updating from ESR68 and getting the new viewer for the first time.

status-firefox78: --- → wontfix
status-firefox79: --- → fix-optional
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → affected
Flags: in-testsuite+

Is this something we should consider uplifting to ESR78 or is fixing this on release good enough?

Flags: needinfo?(dkeeler)

Comment on attachment 9162928 [details]
Bug 1645492 - only show certificates with corresponding error overrides in the "Servers" tab of the certificate manager r?kjacobs

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Because the new certificate viewer doesn't show explicit distrust, listing the diginotar distrust entries in the certificate manager will cause confusion and concern among users. We should probably avoid this.
  • User impact if declined: Confused/concerned users
  • Fix Landed on Version: 80
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch, has tests.
  • String or UUID changes made by this patch: none
Flags: needinfo?(dkeeler)
Attachment #9162928 - Flags: approval-mozilla-esr78?

Comment on attachment 9162928 [details]
Bug 1645492 - only show certificates with corresponding error overrides in the "Servers" tab of the certificate manager r?kjacobs

approved for 78.3

Attachment #9162928 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
See Also: → 1737574
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: