Closed Bug 431957 Opened 16 years ago Closed 16 years ago

Since 2.0.0.14 prompts for certificate on every signed mail send

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 431819

People

(Reporter: pscott, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Since I upgraded to 2.0.0.14 today, every e-mail I send that has a signature (certificate) is prompting me to select the certificate. This is already set in the account preferences, and did not prompt me prior to upgrading.

Reproducible: Always

Steps to Reproduce:
1. Compose e-mail
2. Send it
3. prompt for certificate occurs 
Actual Results:  
see above

Expected Results:  
should *NOT* prompt. I already have a default certificate established for the account, and it never prompted before this upgrade.

*NOT* PROMPT
I think the issue is not the selection of a client certificate (S/MIME), but the server requesting client authentication. This bug might be a duplicate of bug 431819.

Please test and confirm duplicate.
Confirmed that this is a duplicate of 431819. Sorry for the dup.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Just checking to be sure:

1) do you connect to your SMTP server over SSL?

2) if you send an unsigned mail do you still get the prompt or not?

If the answer to both of those is yes then this is, indeed, a duplicate of bug 431819. If you don't get prompted for unsigned mail then this is a different problem, but one I cannot reproduce. For me signed mail is still using the cert chosen in the Security section of my account setup without asking me every time.
Indeed, the answer to both *is* yes. Which surprises me because I would *not* expect that an SSL connection requires a pre-determined-CA-signed certificate on the client side. In my experience, this has never been the case. What is going on here? 
In practice it always sent a client client certificate without you knowing. That's what I think happens here. Do you have a client certificate installed in TB?
(In reply to comment #4)
> What is going on here? 

It's just another way to log on to a server to prove you're you: instead of typing a password into a login form or dialog you can present a certificate. If the server is looking for a certificate that it did not issue then it's just snooping, and that's exactly the privacy issue we were trying to prevent when changing the default.
(In reply to comment #6)
> the server is looking for a certificate that it did not issue then it's just
> snooping, and that's exactly the privacy issue we were trying to prevent when
> changing the default.
> 

Oh no, these are mail servers the user configured and most likely want to work with. That is, the selection was TLS and not unsecured. I guess you want that, don't you? Mail server aren't like web sites which can really track where you go. This is certainly not the same.

Besides, does certificate authentication work with the HTML capabilities of TB? That would be the only place where such a limitation should be in place.
You need to log in before you can comment on or make changes to this bug.