firefox should potentially clear remembered client authentication decisions upon signing failures
Categories
(Core :: Security: PSM, enhancement)
Tracking
()
People
(Reporter: keeler, Unassigned)
References
Details
(Whiteboard: [psm-clientauth])
Attachments
(1 file)
142.42 KB,
application/x-zip-compressed
|
Details |
See bug 1669414. If a certificate corresponding to a saved authentication decision can't be found, Firefox should fall back to asking the user to select one rather than continuing the connection with no client certificate.
Reporter | ||
Comment 1•4 years ago
|
||
I think my reasoning from bug 1669414 comment 18 was incorrect, since the OS API is making it look like the certificate is still available. At that point, the key not being available just looks like a signing failure to NSS. One thing we could do to address that is to clear (or offer to clear) remembered decisions and existing TLS sessions for the host the failure occurred with.
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Hello.
Saw that the new Firefox beta version was released-out and was able to try that out.
Web browser: Firefox 90.0b5 (64-bit)
OS system: Windows 10 20H2 (19042)
Single smart-card usage works as expected and doesn't bring up any issues.
However, when trying to enter the same website with another smart card on the same computer, the requested authentication certificates are still taken from the previous user. Seems to be, that Firefox can't make a proper filter, which certificates are active and which ones are not. The only available solution for the inexperienced end-user would be going to Firefox settings and removing all Authentication Decisions entries one by one, which is complicated and inconvenient for the average user, especially when there are many such websites.
In case the certificate option for saving isn't displayed or is ticked by default, would make the user believe, that Firefox authentication doesn't work properly. The most common examples would be:
• multiple users on the same computer (not very experienced users) or service providers. For example, The client and provider have to authenticate on the same computer (E.g banks, hospitals, police departments, etc).
• If the user gets a new smart card because the old one expired.
• User has multiple smart cards.
Would it be possible to solve the problem described above before publishing this solution?
Reporter | ||
Comment 3•3 years ago
|
||
The feature that remembers these decisions persistently shipped in Firefox 81 (bug 634697), so this has already been released. If Firefox is being used in a multi-user situation, it really should be configured to clear all settings between users (otherwise, there could be privacy/security issues). For individual users, one option is to not check the "remember this decision" checkbox (it can be set to not be checked by default by setting security.remember_cert_checkbox_default_setting
to false
in about:config
).
Apologies for the delayed feedback.
Firefox version 89 (and probably previous ones) works with the "Remember this decision" checkbox if the reader has the same tab at all times. In this case, when you log in to the Web, a certificate selection dialog is displayed once on each page, which is the correct certificate already in the list of authentication decisions, and the certificate selection dialog is not available.
However, if another card is inserted into the reader, the Firefox repository in the previous card series will not be associated with the associated authentication decisions, which is not possible. Thus, the two cards can be used alternately without any worries.
Firefox Beta appears to be modifying the Windows certificate store. When you change the card, the certificate of the previous card remains there. As a result, the authentication decisions remain the selections made with the previous card in the list. And when you change the card, you can no longer log in with another card.
Clarification to previous comment:
If you click Cancel in the Firefox beta certificate selection window and leave the "Remember this decision" checkbox selected, the result will be "Send no client certificate" in the Authentication Decisions list and you will no longer be able to log in to this website with the card.
Picture 1 in attachment
Picture 2 in attachment
The solution is to delete this line from the Authentication Decisions list or delete the entire file.
Reporter | ||
Comment 7•3 years ago
|
||
(In reply to Kristjan from comment #4)
Firefox Beta appears to be modifying the Windows certificate store. When you change the card, the certificate of the previous card remains there. As a result, the authentication decisions remain the selections made with the previous card in the list. And when you change the card, you can no longer log in with another card.
I believe Windows is the one modifying its certificate store (due to Firefox querying it for certificates). In any case, this is essentially the bug I described in comment 1.
(In reply to Kristjan from comment #6)
If you click Cancel in the Firefox beta certificate selection window and leave the "Remember this decision" checkbox selected, the result will be "Send no client certificate" in the Authentication Decisions list and you will no longer be able to log in to this website with the card.
Yes, this is how this interface currently behaves. See bug 1657588.
Description
•