Closed Bug 425179 Opened 16 years ago Closed 16 years ago

repetitive need to confirm use a certificate of security

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: s.thebault.cchvva, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.13

We are a network of 10 libraries using OpenSource software PMB. The database is on a common server (SQL and PHP). We can connect to it with a security certificate PKCS #1 RSA and a password on a web page. It's the only certificate we use on this PCs.

With the 2.0.0.13 version of Firefox, on a numerous operation (search for example), we need to confirm to use this certificate for continuing operation (window which present the certificate, with OK and abort buttons).

Not happens with Firefox 2.0.0.12

Reproducible: Sometimes

Steps to Reproduce:
1. Had this type of certificate
2. Connect to the database
3. On various operation, on click "Search" or "Save" button, we have to need to confirm the certificate.
Actual Results:  
Access to database and use the software is possible, but it's surprising for my librarians. The exchange between library and database is OK, but the window is intrusive.

Expected Results:  
No confirmation of the certificate. We have to confirm on the first connexion a months ago, but not since.
The message appears on the first connexion of the day ; the message is : "Ce site vous demande de vous identifier". Veuillez choisir un certificat de sécurité (liste déroulante)


Just a modification on the options of the certificate : just re-choose "automatically select a certificate", deselect by the update.
Severity: normal → minor
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Version: unspecified → 2.0 Branch
The default was changed in 2.0.0.13 because of potential privacy concerns and the very small minority of users who interact with legitimate sites that require certificates. The option is still available for those, such as yourself, who do in fact use certificates on a daily basis.

If you are seeing the certificate requests multiple times a day the server itself might need an adjustment to its settings on how long SSL sessions persist. If it's once a day that's about the best you can expect.

The dialog comes up when the server asks to know who you are, in order to get your permission to answer. Any server anywhere can make the same request so if there is any personal data contained in your certificate the "automatically select" option could allow websites to combine your browsing habits with your real-world identity.
Resolution: FIXED → WORKSFORME
I've noticed the same behavior change between Firefox 3.0 beta 3 and beta 4. 
If I open any web page that requires identification by certificate, popup is shown as many times as there are requests - for every css and javascript file. It becomes even worse if site uses HttpRequest.

I don't think that the server keeps track of sessions at that point, and I haven't found any reference to this by searching web. If it's so, could somebody please post a link to doing that, and i will try to give this info to admins. However, I think it would still be good if there would be some setting - "always identify with this certificate for this host".


Atis: if the servers are Apache see bug 431819 comment 119 , other servers should have similar options. As you'll see from that bug we do want to implement an "always identify with this certificate for this host" mechanism in a future version.
You need to log in before you can comment on or make changes to this bug.