Possible to export cert with empty password

RESOLVED WORKSFORME

Status

--
minor
RESOLVED WORKSFORME
15 years ago
2 years ago

People

(Reporter: patryk, Unassigned)

Tracking

Other Branch
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-coz])

Attachments

(1 obsolete attachment)

(Reporter)

Description

15 years ago
User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113

It is possible to export user's own certificates with an empty password. The
Export dialog box doesn't check if the user erased typed password with
backspace, thus not graying out OK button.

Reproducible: Always
Steps to Reproduce:
1. Preferences
2. Privacy and Security
3. Certificates
4. Your certificates
5. (Select some certificates)
6. Backup Copy
7. (put some password and then erase it with backspace)
Actual Results:  
The OK button is not grayed out, user is able to save certificates to disk with
no password.

Expected Results:  
OK Button grayed out.
(Reporter)

Updated

15 years ago
Summary: When making backup of Certificate it is possible to export woth empty password → When making backup of Certificate it is possible to export with empty password

Updated

15 years ago
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: When making backup of Certificate it is possible to export with empty password → Possible to export cert with empty password
The culprit is mozilla/security/manager/pki/resources/content/password.js
in
function checkPasswords()

The condition here
  if (pw1 == pw2){
    ok.setAttribute("disabled","false");

should be changed to
  if ((pw1.length > 0) && (pw1 == pw2))
Status: NEW → ASSIGNED
Created attachment 174178 [details] [diff] [review]
Patch v1

This patch fixes the problem for me.

Updated

14 years ago
Attachment #174178 - Flags: review?(neil.parkwaycc.co.uk)
Comment on attachment 174178 [details] [diff] [review]
Patch v1

This will prevent you from changing your master password to blank, as that
dialog uses the same function. I assume that wasn't intentional?
Attachment #174178 - Flags: review?(neil.parkwaycc.co.uk) → review-

Updated

14 years ago
Attachment #174178 - Attachment is obsolete: true
You're right, I was not intending a side effect for the master password behaviour.
But this throws up another question. 

If we already allow an empty master password,
why should we forbid to export a certificate with no password?

We probably should be consistent.

Either we protect users from making bad decisions (which we obviously do not -
since we allow the empty master password)

or we should allow empty passwords when exporting, too.

Comment 5

14 years ago
I see no problem with allowing an empty password for export.
(Reporter)

Comment 6

14 years ago
But I do ... there is an inconsistence in the dialog handling, at start, the OK
button is disabled, later - enabled. I think it should be disabled all the time,
when the user attempts to export with no password. Sometimes, someone else has
to decide what is good for user.

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
(Reporter)

Comment 7

14 years ago
Anything is going with this bug?
I see that firefox currently:
- enables the OK button all the time
- allows the empty password

Ok, what about the following salomonic solution?

Let's do the same in Seamonkey, however, when the user selects the empty password, let's show an additional warning dialog box. If the user confirms the use of the empty password, fine. Otherwise we go back and the user can use a better one.

Updated

13 years ago
Whiteboard: [kerh-coz]
*** Bug 342387 has been marked as a duplicate of this bug. ***
It's ok for me, do not disable the OK button, but add an extra warning just to be sure that leaving blank is intentional.
QA Contact: bmartin → ui
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody

Updated

4 years ago
Status: ASSIGNED → NEW

Updated

4 years ago
Duplicate of this bug: 1171222
AFAICT from comment 8, Firefox behaves the way we want it to right now. If Seamonkey wants to change the behavior, they'll have to do so in their tree.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.