Closed Bug 336963 Opened 20 years ago Closed 18 years ago

Use another person digital certificate with no need of password

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: facero, Assigned: dveditz)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 My system: a) Mandrake Linux 2006.0 with all security updates. b) OpenOffice 2.0.2 (Spanish language package). c) Mozilla Suite 1.7.2 with Enigmail plugin 0.82.1.0 I have two digital certificates installed in Mozilla, one for my wife and other for me (there are Spanish government administrative documents that must be signed by us at same time, therefore this is a very common arrangement for digital certificates). The security fail step by step: 1) Finished the document, I try the command sequence Archivo | Firmas Digitales (File | Digital Signature) 2) I select Sí (Yes) to save the document question. 3) I write a name for the document and push Guardar (Save) button into the Save dialog window. 4) Into dialog window Firmas Digitales (Digital Signatures), I push Agregar (Add) button. 5) I write the password for NSS Certificate DB 6) Now I can see two digital certificates. I select my wife's certificate (I don't know her password for this certificate, but system doesn't ask for any password at this moment). 7) Doing this, document seems signed by my wife, but she don't know nothing about this. Notice that I didn't need her certificate password to do this. As result, I can use without restrictions any certificate stored into NSS Certificate DB. I only need NSS Certificate DB password, but none password for certificates. I can do the same with Mozilla Suite o Thunderbird and send fake mail messages with a good signature from my wife. To do this, I only need to change the e-mail address and choose my wife certificate from NSS Certificate DB. Again, I don't need to know her password for certificate. As conclusion this is a very critical security flaw because if I have physical access to other people certificates, I can build a compatible and tailored Certificate DB, and therefore, I could use all those certificates without restrictions to sign fake documents or messages. In Spain the legislation it does not allow to repudiate a signed message and this flaw can be a serious problem for users. I will send the same message to OpenOffice and Enigmail forums. Best Regards. Reproducible: Always Steps to Reproduce: 1. Change from e-mail adress to point to my wife 2. Select her digital certificate p.12 3. Send message like her as usual. Actual Results: Signed fake messages as another person Expected Results: Programa must ask for certificate password. I believe that this problem does not have solution, since although the program were modified, will always be able to be used a previous version to falsify the messages.
- Fernando, are you still seeing this with "recent" versions of the program (SeaMonkey 1.1.8 or later)? - If you think "the problem has no solution", what do you want to happen?
(In reply to comment #1) > - Fernando, are you still seeing this with "recent" versions of the program > (SeaMonkey 1.1.8 or later)? > > - If you think "the problem has no solution", what do you want to happen? > Yes at this moment I think that "the problem has no solution", but let me think about this for a while. Let me answer to you this weekend. Best regards, Fernando Acero
"this weekend", he said; then two weeks went by. Resolving INCOMPLETE.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INCOMPLETE
(In reply to comment #0) > 7) Doing this, document seems signed by my wife, but she don't know > nothing about this. Notice that I didn't need her certificate password to do > this. > > As result, I can use without restrictions any certificate stored into > NSS Certificate DB. I only need NSS Certificate DB password, but none password > for certificates. Certificates do not have passwords, the passwords are on the containing files. When you imported your wife's certificate you needed the password for the .p12 file in order to extract it, and then it was placed in your certificate DB and protected by a different password. The Mozilla mechanism to handle this case is to create a separate "profile" for each user, and each user's certificate database will have its own password. Certificates are only one potentially sensitive type stored in a profile, you might have Google/Yahoo/Hotmail account passwords saved, separate bookmarks, etc. You have a similar problem at the OS level where each user should really get a separate user account (for example, the Mac "keychain" feature). Separate OS accounts will automatically result in separate Mozilla profiles, but if you don't have separate OS accounts then you can still set up separate profiles using the profile manager. (see http://www.mozilla.org/support/ if you need more help) Are you really using Mozilla 1.7.12 ? Why bother making sure your OS has "all security updates" if you're running a browser that's 30 months old?
(In reply to comment #3) > "this weekend", he said; then two weeks went by. > Resolving INCOMPLETE. > Hi Tony, Daniel: As you said, I also think that this problem has no solution, or better said, it does not have a simple solution at this moment. There is a bad use of certificate by the user, but also there is a problem at application level. Yes I can use, as said Daniel, several single profiles with a certificate in each, but I can't know the signing environment of an user, when I receive a signed document from anyone. This is a confidence problem. Remember, there are Spanish government administrative documents that must be signed by my wife and by me at the same time, therefore this is a very common arrangement for digital certificates in Spain. But I think that this possibility shouldn't be allowed by the browser. Therefore, now I am thinking about a mechanism that makes it impossible to use certificates belonging to different people into a single profile, I don't mean nothing about the use of several certificates of the same user into a single profile. At least, the program could warn tho the user, when he is trying to install certificates of different users into a single database or profile. This could be an interesting improvement to the program, in an attempt to minimize the problem showed above. ¿What do you think about this proposal of a prohibition or security warning? But remember that, this proposed solution, don't resolve the main problem. Again, I haven't any knowledge about the signing environment wen I got a signed message from anyone, and therefore, I don't know if there are several certificates of different users into a single profile. I want to say to Daniel that at this moment I am using Mozilla Firefox 2.0.0.12, and I have the same problem whit certificates. Please, forgive me for delay, I was very occupied with a lecture for the university. Best regards
You need to log in before you can comment on or make changes to this bug.