279871 - Firefox should ask to set a master password for the SSD at setup

Status: RESOLVED EXPIRED

(Firefox :: Settings UI, defect)

Description

[Ingemar Nilsson]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0

I now use Fedora Core 3, where Firefox is the main browser. Until quite
recently, I used Fedora Core 1, where Mozilla was the main browser. Even though
Galeon was my browser of choice up to the time of the OS upgrade I used Mozilla
for internet banking.

My bank uses client certificates as part of the authorization process. When
these were installed on first use, I was asked whether I wanted to enable the
Software Security Device (SSD) by setting the Master Password, to encrypt the
certificates. Since I thought it was (and is) a good idea, I did. Even though I
don't really know what type of encryption is used and how hard it is to break,
it would still protect me agains the casual certificate thief in the unlikely
event that my machine was cracked.

When I upgraded my OS and switched to Firefox, I noticed that the browser did
not ask me whether to enable the SSD encryption. It simply stored the
certificates without encryption. I had to manually enable it by setting the
master password before installing the certificates.

I think it would be a good idea to ask the user whether to set the password the
first time a client certificate is installed, or when a password is first saved.
Certainly, he/she should only be asked once if "no" is given as the answer. I
think this would be especially useful on Windows machines, since they have been
more prone to cracking. The Swedish police even recommends citizens not to use
banking services that uses client certificates since they could be stolen by
crackers that break into the machine. If they are protected by encryption, it
gets much harder to say the least, and the cracker must be much more determined
to even make a try at breaking the encryption than the casual script kiddie.

Summary: The browser should ask to set a master password when the SSD is used
the first time. It should certainly be accompanied by a warning about the
results of a forgotten password, so that users don't just set the password and
forget it next week.


Reproducible: Always

Comment 1

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 2

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.

Comment 3

[Mike Connor [:mconnor]]

sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs,
filter on "beltznerLovesGoats" to get rid of this mass change