Open
Bug 350612
Opened 19 years ago
Updated 2 years ago
client auth cert selection dialog should show URL requesting it
Categories
(Core :: Security: PSM, defect, P5)
Tracking
()
REOPENED
People
(Reporter: nagydani, Unassigned)
References
()
Details
(Keywords: sec-want, Whiteboard: [sg:want][psm-backlog])
Attachments
(1 file)
|
103.31 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
If a website would accept several client certificates (in the example URL, those by wmcert.com and that from here: http://www.epointsystem.org/~nagydani/key ), the dialog prompting the user to pick one is presented for each element (inline image, css style file, etc.) of the webpage, which is very annoying. Even if it were useful (to pick a different client certificate for each inline image?), the dialog should have displayed the actual element it is about to download with the chosen cert.
Of course "ask me every time" can be interpreted this way, but asking once per webpage would make more sense.
Reproducible: Always
Steps to Reproduce:
1. Create two certificates: one at http://www.epointsystem.org/~nagydani/key the other at https://www.wmcert.com
2. Set the following option in Firefox/Preferences.../Advanced/Security: When a web site requires a certificate: Ask me every time
3. Go to https://www.epointsystem.org
Actual Results:
The user is bombarded with dialogs for choosing a client cert.
Expected Results:
The user should be prompted once for chosing a client cert before loading the webpage with all its auxiliary files.
|
||
Updated•19 years ago
|
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.8 Branch
|
||
Comment 2•19 years ago
|
||
I followed the instructions from comment 0 and obtained two certs.
I used the ssltap tool to trace the connection between client and server.
Nelson, does the attached log file tell us who is the culprit for the repeated client auth prompts?
Thanks
|
||
Comment 3•19 years ago
|
||
Yes, the server is making all these client auth cert requests happen.
The server is giving the client an empty (zeor length) SSL "Session ID"
in each connection, making it impossible for the client to restart the
SSL session in subsequent handshakes. So the client does not have the
choice of restarting the SSL session in subsquent connections.
In each new connection, the client does not offer to "restart" a previous
used session, because it has no session ID with which to do so. Because
the client does not offer an old session ID to be restarted, the server
is forced to do a "full" handshake. The server is obviously configured to
request SSL client authentication in every FULL handshake. so it does so.
The browser performs client auth every time it is asked to do so. The
purpose of "ask every time" is precisely to ensure that the browser never
does client auth without the user's explicit permission.
The options for solution are:
a) the server sends non-empty session IDs to the client, obviating client
auth for subsequent handshakes between the same client and server, or
b) the browser user configures his browser to automatically choose his
client auth certificate, and to not ask for his master password more than
once per browser process lifetime.
This is all working as designed. No browser bug is manifested by this
behavior.
|
|
||
Comment 4•19 years ago
|
||
Thanks for the analysis Nelson.
Daniel, maybe you can file a bug with the the author of the server software in use, and point them to Nelson's explanation.
Resolving bug as invalid, as no browser bug seems to be present.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
|
Reporter | |
Comment 5•19 years ago
|
||
I disagree. As I indicated in the original bug report, I can accept this interpretation of "ask me every time", but in that case, the dialog MUST display the precise URL for which the user is required to pick a certificate.
Otherwise, we have a situation, where the user is asked to make a security-sensitive (or, rather, privacy-sensitive) decision, without being given sufficient information.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
||
Comment 6•19 years ago
|
||
I agree that it would be very helpful if the user was being informed which
site he was about to authenticate to, both at cert selection time and at
the time when he is asked for the master password. I myself often find
that I am being asked for a master password, and I don't know why (for what
purpose) I am being asked.
|
||
Updated•18 years ago
|
QA Contact: psm
|
|
||
Updated•18 years ago
|
Blocks: clientauth
|
|
||
Comment 7•18 years ago
|
||
Changed the bug summary to reflect the requested change from comment 5.
Summary: Dialog for choosing client certificate presented for each element (e.g. inline image) → client auth cert selection dialog should show URL requesting it
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:want]
|
||
Updated•9 years ago
|
Whiteboard: [sg:want] → [sg:want][psm-backlog]
|
|
||
Updated•8 years ago
|
Priority: -- → P5
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•