Closed Bug 251690 Opened 20 years ago Closed 8 years ago

Client Certificate installs without notification (feedback) to user

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: aerowolf, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:want P2][kerh-ehz]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

At Thawte.com's personal email certificate system, I requested a certificate for
Netscape/Mozilla.  After the typical half hour, I then went to the URL that was
specified for me to obtain the certificate and install it.  I went there, and I
got a completely blank page.  Confused, I refreshed a few times, then attempted
various ways to get the certificate installed.

Finally, I checked the Options dialog to find that the certificate had already
been installed.

I would like to see a dialog that informs the user that a personal certificate
was installed because it matched a private key already created.  (I've not seen
an incorrect certificate installation attempt, so I don't know if there is one.)

Reproducible: Always
Steps to Reproduce:
1. Go to thawte.com, select 'log in to Personal Email Certificates'
2. Log in
3. Request a certificate with default options
4. Wait for email from Thawte indicating that the certificate was issued
5. Go to the URL in the email to get the certificate.

Actual Results:  
Browser indicated it was active, then stopped, no error, blank page.

Expected Results:  
Dialog should pop up stating that a certificate was installed, because it
matched a private key already generated.
Check out bug #249004!
Assignee: firefox → kaie
Component: Preferences → Client Library
Product: Firefox → PSM
QA Contact: mconnor
At the time the current code was developed, it was decided that it is
appropriate to NOT give a user feedback, because large CAs wanted to have their
own user feedback as part of the web page that delivers the certificate.

Your CA could deliver a webpage of mime type multipart, one part being the cert,
one a web page to display.

I'm writing that to explain the current behaviour.

Personally, I'd prefer to show a feedback message, too.
re comment #2: That is the most irresponsible security-related decision I've
ever heard of.  The CA does not have control over the user's browser -- only the
user does.  Since the user is also the one who's responsible for the safety and
appropriateness of their own certificate store, it's absolutely imperative that
the user be informed of changes to their store, especially adding certificates.

In addition, the certificate that is requested from the CA very often differs
from the original request in some manner.  (I'm reminded of the old 'passphrase'
concept that was used by e.g. Verisign to validate the certificate for retrieval
-- it was stripped out of the CSR during the signing, but it had to be there in
the CSR or else it would never be signed.)  It is absolutely the user's
responsibility to ensure that the certificate says what it is supposed to say,
since computers are not infallible.  (Imagine having an identity-verified Thawte
Freemail cert account and then receiving, through some bug in their system, a
certificate that says "Thawte Freemail Member".)

It makes /much/ more sense to verify that on the client side, since it's the
client side that actually has to use the data that's provided by the server.  

(As well, Microsoft can use this argument -- "data can be added to the subsystem
that is supposed to hold the most critical authentication-related information
without any user intervention" -- as a means of FUD propaganda.  And I can't
really say that I would disagree with them.)

So.  Who do I have to convince that this is truly a problem?

(And if I can't convince that it's a problem, how do I get this marked as
'advocacy' so that pressure can be put on Thawte to introduce new bugs into
their system by changing its well-documented and well-tested behavior to include
the multipart page on certificate retrieval?)
> So.  Who do I have to convince that this is truly a problem?

Donating resources is the best way to get something done.
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 272028 has been marked as a duplicate of this bug. ***
Summary: Client Certificate installs without notification to user → Client Certificate installs without notification (feedback) to user
The right place to add a visual feedback to user is:
  PSMContentDownloader::OnStopRequest

One could check the result here
  case PSMContentDownloader::X509_USER_CERT:
    return certdb->ImportUserCertificate((PRUint8*)mByteData, mBufferOffset, ctx);
and fire up a feedback to the user.

However, assigning to nobody, to make it clear I don't currently have time to
work on it.
Assignee: kaie → nobody
Product: PSM → Core
Whiteboard: [kerh-ehz]
from bug 186192

http://wp.netscape.com/eng/security/comm4-cert-download.html

In the description of the application/x-x509-user-cert, it says that if the
private key is missing, an error dialog is generated. I have tested this several
times and it doesn't happen.

Also, I guess by now I understand the purpose of this MIME type: It appears to
used if a user has uploaded a certificate signing request (CSR) and the CA after
signing will send back the signed certificate? If so, it would be great to add a
statement to this regard to the spec (see URL above).

Indeed, AFAIK, the only reason that mozilla has separate 
application/x-x509-user-cert and application/x-x509-email-cert MIME types
is for additional error handling UI in the event that the user does not
have the private key for cert being downloaded.  
*** Bug 186192 has been marked as a duplicate of this bug. ***
from bug 184662

http://www.privasphere.org/keys/x509/RHpub.cer_mu

click on the above URL and the only thing that happens is that the personal
security manager asks me for my password.

I assume that the certificate is imported, but for me as a user, it would be
helpful if
1) It would be displayed what the certificate is about (purpose, issued to,
validity, etc.).
2) to which tab of my security manager (Your certificates, Other people's,
Websites, Authorities) to certificate will go
3) Provide me with the options (Import - Save As - Cancel)


*** Bug 184662 has been marked as a duplicate of this bug. ***
the situation has somewhat improved over the last 3 years and the URL got slightly changed...
https://bugs.privasphere.com:8443/keys/x509/RHpub.cer
or https://www.privasphere.com/keys/x509/RHpub.cer
QA Contact: ui
what level of trust have the installed cert if it is issued by self-signed/untrusted CA - this is clearly possible?

another possibility is somehow forcing the user to generate a weak key, break the key and give the user a self-signed cert
Keywords: privacy
Whiteboard: [kerh-ehz] → [sg:want P2][kerh-ehz]
is it easily doable to have the luser posess a weak rsa private key (say < 150 bits modulus) and then serve him a user cert with suitable content type?
Blocks: 475881
From my reading of the code, we do show an alert message that something happened now.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.