client auth cert selection dialog should show URL requesting it

REOPENED
Unassigned

Status

()

P5
normal
REOPENED
12 years ago
11 months ago

People

(Reporter: nagydani, Unassigned)

Tracking

(Blocks: 1 bug, {sec-want})

1.8 Branch
PowerPC
Mac OS X
sec-want
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want][psm-backlog], URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

If a website would accept several client certificates (in the example URL, those by wmcert.com and that from here: http://www.epointsystem.org/~nagydani/key ), the dialog prompting the user to pick one is presented for each element (inline image, css style file, etc.) of the webpage, which is very annoying. Even if it were useful (to pick a different client certificate for each inline image?), the dialog should have displayed the actual element it is about to download with the chosen cert.

Of course "ask me every time" can be interpreted this way, but asking once per webpage would make more sense.

Reproducible: Always

Steps to Reproduce:
1. Create two certificates: one at http://www.epointsystem.org/~nagydani/key the other at https://www.wmcert.com
2. Set the following option in Firefox/Preferences.../Advanced/Security: When a web site requires a certificate: Ask me every time
3. Go to https://www.epointsystem.org

Actual Results:  
The user is bombarded with dialogs for choosing a client cert.

Expected Results:  
The user should be prompted once for chosing a client cert before loading the webpage with all its auxiliary files.
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.8 Branch

Comment 1

12 years ago
Confirming
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

12 years ago
Created attachment 236473 [details]
ssltap logfile

I followed the instructions from comment 0 and obtained two certs.
I used the ssltap tool to trace the connection between client and server.

Nelson, does the attached log file tell us who is the culprit for the repeated client auth prompts?
Thanks
Yes, the server is making all these client auth cert requests happen.
The server is giving the client an empty (zeor length) SSL "Session ID"
in each connection, making it impossible for the client to restart the
SSL session in subsequent handshakes.  So the client does not have the 
choice of restarting the SSL session in subsquent connections. 

In each new connection, the client does not offer to "restart" a previous 
used session, because it has no session ID with which to do so.  Because 
the client does not offer an old session ID to be restarted, the server 
is forced to do a "full" handshake.  The server is obviously configured to
request SSL client authentication in every FULL handshake. so it does so.

The browser performs client auth every time it is asked to do so.  The 
purpose of "ask every time" is precisely to ensure that the browser never
does client auth without the user's explicit permission.  

The options for solution are:
a) the server sends non-empty session IDs to the client, obviating client
auth for subsequent handshakes between the same client and server, or 

b) the browser user configures his browser to automatically choose his 
client auth certificate, and to not ask for his master password more than
once per browser process lifetime.

This is all working as designed.  No browser bug is manifested by this 
behavior.

Comment 4

12 years ago
Thanks for the analysis Nelson.

Daniel, maybe you can file a bug with the the author of the server software in use, and point them to Nelson's explanation.

Resolving bug as invalid, as no browser bug seems to be present.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
(Reporter)

Comment 5

12 years ago
I disagree. As I indicated in the original bug report, I can accept this interpretation of "ask me every time", but in that case, the dialog MUST display the precise URL for which the user is required to pick a certificate.
Otherwise, we have a situation, where the user is asked to make a security-sensitive (or, rather, privacy-sensitive) decision, without being given sufficient information.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
I agree that it would be very helpful if the user was being informed which 
site he was about to authenticate to, both at cert selection time and at 
the time when he is asked for the master password.  I myself often find 
that I am being asked for a master password, and I don't know why (for what
purpose) I am being asked.
QA Contact: psm
Changed the bug summary to reflect the requested change from comment 5.
Summary: Dialog for choosing client certificate presented for each element (e.g. inline image) → client auth cert selection dialog should show URL requesting it
Whiteboard: [sg:want]

Comment 8

6 years ago
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Whiteboard: [sg:want] → [sg:want][psm-backlog]

Updated

11 months ago
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.