Versions starting with 140.0.0 break YubiKey 2FA authentication on sites with a certificate exception
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | wontfix |
| firefox146 | --- | wontfix |
| firefox147 | --- | fixed |
People
(Reporter: mhanck, Assigned: jschanck)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files)
Security 003.jpg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Steps to reproduce:
Example:
- Access my internal NAS Administration URL
- Enter my User ID (on the website Login page)
- Enter my password (on the website Login page)
- Enter my security key (YubiKey) PIN (on the Windows Security "Making sure it's you" dialogue)
Actual results:
Error "Something went wrong" is displayed (on the Windows Security "Making sure it's you" dialogue). This occurs in all releases starting with 140.0.0. Reverting to 139.0.4 (and reloading the Profile) restores expected function.
Expected results:
Prompt to "Touch your security key." (on the Windows Security "Making sure it's you" dialogue) - Security 003.jpg attachment shows expected dialogues - screenshot from Firefox 139.0.4.
|
||
Comment 1•9 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
|
||
Comment 2•9 months ago
|
||
The severity field is not set for this bug.
:jschanck, could you have a look please?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•9 months ago
|
||
I'm guessing that your NAS' login page serves a self-signed certificate, and that you add an override using the "Accept the risk and continue" UI?
In Bug 1954033 we blocked the use of WebAuthn when a certificate error override is in place. As a temporary workaround, you may be able to add the NAS' certificate as an authority (https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox).
|
|
Assignee | |
Updated•9 months ago
|
RE: "I'm guessing that your NAS' login page serves a self-signed certificate, and that you add an override using the "Accept the risk and continue" UI?"
Yep, it was and I had done so. Rather than executing a temporary work-around I chose to install a trusted certificate.
Thanks for the help.
|
||
Comment 5•8 months ago
|
||
John: this turned out to be intentionally broken as you guessed. Unless there's already a bug on file to improve the experience should we morph this bug into that? For example
- If we're not going to allow it, it would be nice to abort earlier, before we talk to the authenticator and bring up the associated UI (ours or the OS's).
- If we did that it might just fail silently. Would it be appropriate to show a more visible error? I'm not sure what, though, since anything could be abused to annoy people. Hopefully we at least have an error message on the web console
Please (please, please) DO NOT fail silently and DO display (or log) an error. Since this is a security thing, the User should know that this is intentional. Just my two cents.
|
|
Assignee | |
Comment 9•5 months ago
|
||
|
||
Updated•5 months ago
|
|
||
Comment 10•5 months ago
|
||
|
||
Comment 11•5 months ago
|
||
| bugherder | ||
|
||
Updated•5 months ago
|
|
|
||
Comment 12•4 months ago
|
||
Do we need this on ESR140? Please nominate if yes.
|
|
Assignee | |
Comment 13•4 months ago
|
||
The patch doesn't graft cleanly onto esr140, and there is a workaround (Comment 3). So I'm not going to nominate this for 140 unless we hear about a significant need for it.
|
|
||
Updated•4 months ago
|
Description
•