323278 - Going to *any* https page makes the certificate login for my bank appear

Status: RESOLVED DUPLICATE of bug 326637

(Core :: Security: PSM, defect)

Description

[Lars Hammarlund]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8) Gecko/20051111 Firefox/1.5

I have an internet bank account and a certificate to logon installed in Firefox.
Since upgrading to Firefox 1.5, every time I'm re-directed to a secure web page (https://), login window for my bank appears.
It also appears when clicking link to this bugzilla page.

Reproducible: Always

Steps to Reproduce:
Bank certificate origins from Nexus Personal.
Installation in Firefox:
1. Tool-Settings-Advanced-Security units (I run swedish version, button label is "Säkerhetsenheter", I don't know the english label)
2. Activate
3. Naming module "Personal"
4. Browse to find Personal.dll

5. Go to www.hotmail.com
6. Enter login name and password, click logon
7. When re-directed to https://-page, bank certificate login appears

Actual Results:  
Every visit to a https page trigger bank certificate login


Previous version of Firefox only loaded bank login when I actually wanted to login to the bank.

Comment 1

[Kai Engert (:KaiE:)]

This sounds very strange.
Could you try whether it still happens, when you create a separate, new profile for testing, and install your security device there, too? (You can run firefox.exe with parameter -ProfileManager)
Could you ask a technical person from your bank, whether they have tried it with Firefox, and see your problem, too?

Comment 2

[Simon Woods]

I am not sure if this is the same effect but it sounds very similar. In my case I use a Smart Card from my Employer.

Preconditions:
I have created a new Security Device and pointed this as the PKI Driver for my smart card.

How to reproduce:
1: Insert Smart card
2: Start Firefox (you can reproduce this in Thunderbird as well - different steps though)
3: Go to www.mozilla.org -> Developer -> Bugzilla (https site)
4: I am now asked without need for the PIN number of my smart card.
5: Hit cancel two or three times and the Bugzilla site is displayed.

My problem is that this appears without warning (Thanks to Lars I now know when to expect it). The message box is very similar to the Master Password dialog box and it is easy to type in the wrong information. After three incorrect attempts my card is locked and can only be reactived with considerable effort.

What is however more disconcerting is that the popup also appears in Thunderbird (I use the smart card for email encryption as well). I have a feeling that the PIN is displayed when my private mails are downloaded from secure mail servers (checks every 10 minutes for new mail). In this case the popup appears out of nowhere (thunderbird is hidden by other windows). If is often not clear if the popup is from Firefox or thunderbird, or someone wanting to steal my PIN number (trojan horse / virus ...).

I would like to up the severity of this as I believe that unsollicited popups reqesting PIN information should not occur.

Comment 3

[Kai Engert (:KaiE:)]

Do you see this bug with Firefox 1.5.x ?

Could you try Firefox 2?

I believe this might have been fixed already.

Please reopen the bug if you still see it with Firefox 2.


*** This bug has been marked as a duplicate of 326637 ***

Comment 4

[Simon Woods]

Initial tests confirm that this problem is no longer present in Firefox 2.0. Will reopen if problem persists, and assume that this will be integrated in a later version of Thunderbird.

Simon