431418 - Software Security Device requests master password at startup (after adding a certificate)

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[Scott Martin]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

I obtained a Thawte email certificate following the steps at http://www.thawte.com/secure-email/personal-email-certificates/ . Since then, if I have a master password set, the/a(?) Software Security Device requests it to be entered every time Firefox is started.

Reproducible: Always

Steps to Reproduce:
1. Install a certificate.
2. Set a master password.
3. Start Firefox.
Actual Results:  
Master password is requested.

Expected Results:  
Normal startup.

Comment 1

[Daniel Veditz [:dveditz]]

Did you have a master password set before? I can't think of any password requests that would be triggered by adding a certificate. Does your home page have a password field on it?

Comment 2

[Scott Martin]

No, I didn't have one, and no, it doesn't. I'm not sure there's a direct connection to the certificate, but I'd never heard of the SSD before the installation.

Comment 3

[Rumen Avramov]

I have MANY certificates in my Firefox (but none issued by Thawte). I am NEVER requested a master pwd on startup unless I start with a page that requires a password to be entered.

Have you tried to have a different certificate in FF and not to have a Thawte one (though it shouldn't make any difference)?

What exactly is your homepage? Try setting it to about:blank. May be it does not have a password field, but somehow tries to establish secure communication thus causing FF to try to use the SSD.

Comment 4

[Gervase Markham [:gerv]]

I also see this problem since upgrading to Thunderbird 3. I have an S/MIME email certificate. Thunderbird 2 asked me for the password to unlock the use of it when I attempted to send S/MIME email. Thunderbird 3 beta now asks for it on every start-up. This is most irritating, because I rarely send S/MIME email, and so normally wasn't bothered by this dialog.

Is this the same bug, or a Thunderbird-specific one?

Gerv

Comment 5

[Nickolay_Ponomarev]

Gerv, I don't think a confirmation of a similar bug in Thunderbird counts for a bug filed in Firefox :)

Comment 6

[Gervase Markham [:gerv]]

Er... OK, but why is the original reporter installing a Thawte email certificate in Firefox? What's he trying to do with it?

Gerv

Comment 7

[Scott Martin]

I am still subscribed to this, you know, no need for the third person. Do you enjoy clogging up bug discussions?

http://lmgtfy.com/?q=thawte+email+certificate+firefox

Anyway, I no longer have the use case that led to this report being filed, so I can't add any further details or confirm for a more recent Firefox version.

Comment 8

[Gervase Markham [:gerv]]

Earle: sorry :-) And I love that website.

Gerv

Comment 9

[Daniel Veditz [:dveditz]]

I've got a Thawte email cert, too, and I'm only asked for my master password when one of my saved tabs includes a site for which I've saved a password. If your home page was an SSL site that speculatively requests client authentication you might get this behavior, too.

Gerv: Thunderbird asks me for my master password the first action that touches something with a saved password. Long before it needs to unlock my S/MIME cert it's already asked for the password to unlock the IMAP account so I could read the mail to which I later want to reply. Is your Thunderbird account set to get mail at launch and wasn't back when you used Tbird2?

Given comment 7 I think we've got to close this one until we find someone who can reproduce it.