Closed Bug 1966033 Opened 1 year ago Closed 11 months ago

unexpected client auth certificate request dialogs on android

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox138 --- wontfix
firefox139 --- wontfix
firefox140 --- fixed

People

(Reporter: tschuster, Assigned: keeler)

References

(Regression,
URL
)

Details

(Keywords: regression, Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1966033 - pass the list of acceptable issuers through to the android API for client auth certs r?jschanck
48 bytes, text/x-phabricator-request
Details

Someone on reddit reported that Firefox is now requesting a client certificate on multiple websites. The certificate name is "FindMyPhone". I doubt this is supposed to be used as a normal client certificate for websites.

I think there are some more other reports like https://www.reddit.com/r/firefox/comments/1kekg2o/need_help_after_update_on_mobile/.

Set release status flags based on info from the regressing bug 1813930

:keeler, since you are the author of the regressor, bug 1813930, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox138: --- → affected
status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(dkeeler)
Summary: Certificate request for FindMyPhone → Client certificate request for FindMyPhone
Assignee: nobody → dkeeler
Severity: -- → S4
Flags: needinfo?(dkeeler)
Priority: -- → P1
Whiteboard: [psm-assigned]
Summary: Client certificate request for FindMyPhone → unexpected client auth certificate request dialogs on android
See Also: → 1966922

This is the last week of Nightly for Fx140 before it goes to Beta.

:dana, do you think you'll land a fix for Fx140 before it goes to beta?

Flags: needinfo?(dkeeler)

I'm certainly going to try - I'll ping the remaining reviewers today.

Flags: needinfo?(dkeeler)
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2c0ecc169e46 pass the list of acceptable issuers through to the android API for client auth certs r=jschanck,geckoview-reviewers,geckoview-api-reviewers,ohall,owlish

https://hg.mozilla.org/mozilla-central/rev/2c0ecc169e46

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch

The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(dkeeler)

Well, I would say yes, but this didn't make it in time to get into a beta (we release next week, right?), so I think it'll just have to ride the trains.

status-firefox139: affectedwontfix
Flags: needinfo?(dkeeler)
QA Whiteboard: [qa-triage-done-c141/b140]
Duplicate of this bug: 1964286
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: