176507 - Certificates added without warning or confirmation

Status: RESOLVED FIXED

(Core Graveyard :: Security: UI, enhancement, P1)

Description

[Thomas Brown]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016

After requesting a THAWTE personal E-mail certificate, they E-mail you with a
URL where you can "pick up" and install your certificate.  Clicking on this URL
opens a new browser window and installs the certificate with absolutely no
confirmation, warning, or other indication about the success/failure of the
operation.  While the security risk is probably not substantial (i.e. you
probably can't install an arbitrary certificate because your private key won't
match), it should at least be looked into to reassure the user that their
certificate installation has either succeeded or failed.

Reproducible: Always

Steps to Reproduce:
1. Request digital certificate from CA such as www.thawte.com
2. Click on URL E-mailed to you by the CA


Actual Results:  
Certificate is installed successfully, but no indication of this is shown.

Expected Results:  
Either a warning dialog should open (i.e. "Do you want to install the
certificate xxxxx?") or at least a confirmation in the status bar should be
displayed (i.e. "Certificate xxxx installed.").

Comment 1

[Mitchell Stoltz (not reading bugmail)]

->PSM

Comment 2

[John Unruh]

Confirming. A personal cert is added to your cert DB with no dialogs appearing.

Comment 3

[Kai Engert (:KaiE:)]

The question is:

"Is it a back that no feedback is given" (like you are suggesting)

or

"It would be a feature if we gave the user an additional feedback".

On one hand side, I think it would be a good idea to do what this bug suggests,
and always give at least some small feedback to the user.

On the other hand side, in past discussions it has been argued, that issueing
certificate authorities want to customize the feedback they give when delivering
a certificate to a user. Some CAs are doing that by using a delivery page that
is a multipart type page, which delivers HTML content for display at the same
time the certificate content type is delivered (and imported by the security
engine).

Comment 4

[Kai Engert (:KaiE:)]

Oops, in the previous comment I wrote "Is it a back...", but of course I meant
"Is it a bug...".

Comment 5

[John Unruh]

Setting to Future. Related to bug 184659, bug 184662 and bug 184663.

Comment 6

[John G. Myers]

Mass reassign ssaux bugs to nobody

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.

Comment 8

[Dan Fischbach]

I agree.  I did this myself and I thought it didn't load right or something when
getting my Thawte Cert.  There should be at least some sort of dialog box that
pops up.

Voted.  My $0.02.

Comment 9

[Dan Fischbach]

Are we going to add this popup/dialog for 2.0?

Comment 10

[Mike Connor [:mconnor]]

Feedback would be good, but I'm not sure that a dialog is necessary.  Bumping nomination to core, reassigning to defaults.

Comment 11

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

Need some kind of feedback in 1.8.1, if not indeed actual user permission (!).  Blocker+

Comment 12

[Kai Engert (:KaiE:)]

*** Bug 308857 has been marked as a duplicate of this bug. ***

Comment 13

[Kai Engert (:KaiE:)]

Bug 310446 has a patch that will supply user feedback for various cert import actions.

Comment 14

[Nelson Bolyard (seldom reads bugmail)]

Please see bug 308857 for more background on this bug.

Kai, I suggest you take this up with Bob Lord and perhaps Steve Parkins.
Bob was the manager of PSM at the time when PSM was changed to work as 
it does now, and I believe it was he who specified the way it now works.

Further, IIRC, the first CA product to make use of the new technique for 
providing feedback in web page content itself, rather than in browser 
dialogs was CMS.  So I think you're rather directly connected to the people 
to whom it matters most (or to whom it once mattered most) how mozilla 
notifies the users.  

Comment 15

[Bob Lord]

We need to make sure we think through the request in the context of the apps that we have today.  Back when this bug was filed, we had a single client for browsing and email.  That meant to retrieve your certificate from the CA, you could use your browser to search for it, and then click on a link to import it.

Or the CA would send you an email with a browser link. You'd click on the email link, the browser would open and import the certificate.

In both cases, the mail client would be able to use the cert because it was in the same process as the browser. 

Today we have different apps, with separate databases.  We're working to re-unify the databases, but that won't happen until the end of 2006 at the soonest.

This issue may or not be directly related to the bug 338615 which I just filed.

Comment 16

[Kai Engert (:KaiE:)]

Discussed with Bob Lord and Steve Parkinson. They agree it is ok to reintroduce the confirmation dialog.

Let's see of I can get in additional feedback messages for cert-import-attemps being ignored, bug 310446. Because this has been marked by Shaver as a blocker for 1.8.1, but we are too late for new IDL, our feedback messages will have to be done in a non-embedding-overridable-fashion, at least in the initial implementation.

This will get fixed first, therefore changing depends on bug 310446 to blocks bug 310446.

Comment 17

[Kai Engert (:KaiE:)]

Fixed on trunk using patch attached in bug 310446.