Closed Bug 406559 Opened 17 years ago Closed 11 years ago

CRLs are imported without asking user for confirmation

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mads, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-crl])

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071126 Fedora/2.0.0.10-1.fc8 Firefox/2.0.0.10 pango-text Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071126 Fedora/2.0.0.10-1.fc8 Firefox/2.0.0.10 pango-text If a user clicks the "root.crl" link on http://www.apple.com/certificateauthority/ it is imported without confirmation from the user. I assume that adding bogus CRLs to the users browser can have security implications. By the nature of CRLs it will probably be DOS kind of problems. Adding a lot of CRLs will create a local DOS. Perhaps it will be possible to block access to sites. Reproducible: Always Steps to Reproduce: 1. just follow link to http://www.apple.com/certificateauthority/root.crl Actual Results: CRL can be found in firefox's CRL list Expected Results: User should be told what implications adding the CRL will have, and the user should be asked for confirmation.
CRLs are signed by their issuers, so it is not possible for a malicious party to publish a CRL which will, for instance, revoke amazon.com's certificate - only amazon.com's issuer can do that. The only opportunities for attack I see here are either the network hit of fetching these things or the general contamination of the CRL DB with useless junk, which isn't a *terribly* compelling attack anyhow. I'm going to bounce this to PSM for comment, in case I'm crazy, but in any event it doesn't need to be secret, since our behaviour here is known and by design.
Assignee: nobody → kengert
Group: security
Component: Security → Security: PSM
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → psm
Hardware: PC → All
I guess this bug is invalid, but cc'ing Bob and Nelson. It's our intention to import CRLs when clicked.
The CRL is imported but automatic CRL updating is not enabled, by default. What happens when the CRL expires? Is this effectively a DOS?
You can't import an invalid CRL (including an expired one), but if the CRL you have later expires, then it currently is a DOS. bob
There are several APIs available to import CRLs, PK11_ImportCRL and SEC_NewCrl . The former verifies the CRL optionally, and the later does not. AFAIK, PSM uses the later. It always imports CRLs without verifying them. This can create DOSes. In order for PSM to successfully do the CRL verification at import time, it would be required to save intermediate certs. So, right now, it blindly stores them in the token, and the failure may be seen later at verification time.
Also, CRLs don't expire. ;) Only the NIST CRL policy considers the nextUpdate as an expiration date. By default we don't follow that policy so there should be no DOS due to "expiration". In any case, the reporter is correct that CRLs are imported without asking the user. I would say it was done by design in PSM rather than a bug, though (since the CRLs can't be verified without intermediates). If can change PSM to check the CRL validity before import, it will have to obtain the cert chain from somewhere. Maybe an AIA or SIA extension in a CRL ? I am not sure if this is in current RFCs, though. It's not in RFC3280 at least.
Summary: CRLs seems to be imported without asking user → CRLs are imported without asking user for confirmation
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Whiteboard: [psm-crl]
I just encountered this today, and through there might not be any security problem in adding the crl to Firefox automatically, it does display a scary looking dialog asking you if the newly added crl should be auto updated or not. The dialog may not be a security warning, but it looks in my mind like a security warning you cannot cancel. So maybe the dialog should be removed or its wording be improved. Does Firefox ensure that only crls from trusted CAs can be imported? Otherwise I think it could be a privacy issue, since it does not seem like the import is removed by Private Browsing or Clear Recent History.
The "Revocation Lists" feature was removed in bug 867465.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Depends on: 867465
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.