1820628 - client authentication certificates: consider not isolating based on server certificate

Status: RESOLVED FIXED

(Core :: Security: PSM, enhancement, P3)

Description

[Ralf G. R. Bergs]

I have this in the latest Thunderbird "production" release, running on Windows 11.

There's many entries on the "Authentication Decisions" tab, for the same host, with a "Certificate Name" of "Send no client certificate"

It's very annoying to repeatedly have to "Cancel" the prompt for a client cert. ;-(

Comment 1

[Ralf G. R. Bergs]

Sorry, I expected there would be a link to the ticket from which I created this new bug.

This is the ticket that has the original issue.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

In your profile, there should be a file called ClientAuthRememberList.txt - can you attach that to this bug or send it to me via email? Thanks!

Comment 3

[Ralf G. R. Bergs]

Attachment: ClientAuthRememberList.txt

@keeler Let me know if you need anything else.

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Thanks! Firefox is remembering your decisions, but on a per-server-certificate basis. If a domain name corresponds to a number of possible servers (each with a different certificate), then Firefox considers each one to be different for the purposes of remembering which certificate to send (if any). Most of our trust decisions are based on origin (domain, roughly), so I'm not sure it makes sense to additionally partition by server certificate here.

Comment 5

[Ralf G. R. Bergs]

Thanks. I already suspected something to that extent, but I was not 100% clear what's happening. I think I now got it:

The hostname resolves to multiple IP addresses, probably based on DNS latency/"proximity". As there's many IP addresses behind any of the 2 hosts I'm currently using for IRC, the chance is high that I hit an IP address that I've never visited.

Each IP address belongs to a different host, with a different certificate. The certificate has a SAN with the host's "primary" name plus the "standard" IRC name that is identical for all servers.

Is that about correct?

I think it would be a benefit to users to properly handle this, so that only a single action not to send any client cert is required.

Also, I believe that UX-wise it was a bad decision to save anything when clicking "Cancel". For me "Cancel" means "abort, do not do anything that has a permanent effect," especially "don't save anything." Not sure whether this sounds weird, but I strongly feel the current design is "wrong."

I believe there should be a checkbox "[ ] Do not use any client certificate". When the user checks this, the client cert selection box should be greyed out. When the user then clicks "Ok", the same should happen what you currently do to persist this choice.

Does this make sense?

Comment 6

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: Bug 1820628 - don't use server certificates to partition remembered client auth certificate decisions r?jschanck

Previously, remembered client authentication certificate decisions would be
partitioned by server certificate (as well as domain, obviously). This led to
unexpected behavior whereby a user could connect to the same domain multiple
times and be asked each time to choose a client certificate (given that a
single domain could be backed by multiple servers each with a different
certificate).

Comment 7

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6924b00a0ca5
don't use server certificates to partition remembered client auth certificate decisions r=jschanck

Comment 8

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/6924b00a0ca5