425784 - 2.0.0.13 upgrade changed certificate preference to "ask me every time"

Status: VERIFIED WONTFIX

(Firefox :: Security, defect)

Description

[bill]

Attachment: The default cert selection preferences before upgrading to 2.0.0.13

After upgrading to 2.0.0.13, people on my team who use smartcards for authentication are complaining about this problem. They all confirmed that their certificate preference was set to "ask me every time", but it used to be set to "select automatically" -- the previous default.

This caused a lot of confusion for folks who weren't familiar with that dialog box. In most cases, these people only had a single viable certificate to choose from.

Suggestion: don't change user choices values for certificate selection (or any default, for that matter) between releases unless necessary.

Comment 1

[Daniel Veditz [:dveditz]]

It was necessary.

see http://www.mozilla.org/security/announce/2008/mfsa2008-17.html and the problems discussed in bug 295922 and bug 395399 (and especially the PoC in the latter).

Quite unfortunate that no one's stepped up to implement something like bug 395399 to ease the pain, but the number of people inconvenienced by the change is dwarfed by the number of people at risk. And those people will be motivated to seek out and change the option whereas the people at risk had no such feedback that they needed to change the option the other way.

Unfortunately there was no way to distinguish people who had the default because it was the default from those who had the default because they intentionally left it that way.