Closed
Bug 234776
Opened 21 years ago
Closed 8 years ago
Possible to export cert with empty password
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: patryk, Unassigned)
References
Details
(Whiteboard: [kerh-coz])
Attachments
(1 obsolete file)
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 It is possible to export user's own certificates with an empty password. The Export dialog box doesn't check if the user erased typed password with backspace, thus not graying out OK button. Reproducible: Always Steps to Reproduce: 1. Preferences 2. Privacy and Security 3. Certificates 4. Your certificates 5. (Select some certificates) 6. Backup Copy 7. (put some password and then erase it with backspace) Actual Results: The OK button is not grayed out, user is able to save certificates to disk with no password. Expected Results: OK Button grayed out.
Reporter | ||
Updated•21 years ago
|
Summary: When making backup of Certificate it is possible to export woth empty password → When making backup of Certificate it is possible to export with empty password
Updated•20 years ago
|
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: When making backup of Certificate it is possible to export with empty password → Possible to export cert with empty password
Comment 1•20 years ago
|
||
The culprit is mozilla/security/manager/pki/resources/content/password.js in function checkPasswords() The condition here if (pw1 == pw2){ ok.setAttribute("disabled","false"); should be changed to if ((pw1.length > 0) && (pw1 == pw2))
Status: NEW → ASSIGNED
Comment 2•20 years ago
|
||
This patch fixes the problem for me.
Updated•20 years ago
|
Attachment #174178 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 3•20 years ago
|
||
Comment on attachment 174178 [details] [diff] [review] Patch v1 This will prevent you from changing your master password to blank, as that dialog uses the same function. I assume that wasn't intentional?
Attachment #174178 -
Flags: review?(neil.parkwaycc.co.uk) → review-
Updated•20 years ago
|
Attachment #174178 -
Attachment is obsolete: true
Comment 4•20 years ago
|
||
You're right, I was not intending a side effect for the master password behaviour. But this throws up another question. If we already allow an empty master password, why should we forbid to export a certificate with no password? We probably should be consistent. Either we protect users from making bad decisions (which we obviously do not - since we allow the empty master password) or we should allow empty passwords when exporting, too.
Comment 5•19 years ago
|
||
I see no problem with allowing an empty password for export.
Reporter | ||
Comment 6•19 years ago
|
||
But I do ... there is an inconsistence in the dialog handling, at start, the OK button is disabled, later - enabled. I think it should be disabled all the time, when the user attempts to export with no password. Sometimes, someone else has to decide what is good for user.
Reporter | ||
Comment 7•19 years ago
|
||
Anything is going with this bug?
Comment 8•19 years ago
|
||
I see that firefox currently: - enables the OK button all the time - allows the empty password Ok, what about the following salomonic solution? Let's do the same in Seamonkey, however, when the user selects the empty password, let's show an additional warning dialog box. If the user confirms the use of the empty password, fine. Otherwise we go back and the user can use a better one.
Updated•19 years ago
|
Whiteboard: [kerh-coz]
Comment 9•18 years ago
|
||
*** Bug 342387 has been marked as a duplicate of this bug. ***
Comment 10•18 years ago
|
||
It's ok for me, do not disable the OK button, but add an extra warning just to be sure that leaving blank is intentional.
Updated•17 years ago
|
QA Contact: bmartin → ui
Updated•9 years ago
|
Status: ASSIGNED → NEW
AFAICT from comment 8, Firefox behaves the way we want it to right now. If Seamonkey wants to change the behavior, they'll have to do so in their tree.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•