Closed Bug 442275 Opened 17 years ago Closed 17 years ago

May access personal certificates from other people without security check

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: roberjruiz, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; es-ES; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; es-ES; rv:1.9) Gecko/2008052906 Firefox/3.0 I have four personal certificates installed on firefox at my home's computer (One is mine, the other of my relatives) I backed up them with high security level, so I am prompted for a password every time I install one of them The problem, is that once installed, I may use any of them, and I am never prompted for a password again. Firefox just prompts to ask which certificate I want to use. And the worst problem is that they are all official documents emmited by spanish government, so any one using the computer may suplant me, which is a quite serious issue. Ok, they are my family and I trust them, but that's not always the case. Reproducible: Always Steps to Reproduce: 1. Install several personal certificates 2. Configure firefox to ask which certificate to use every time you are requested Actual Results: No security check when personal certificates are used (only when installed). May use any installed certificate installed on the browser with no security restrictions Expected Results: Should ask for a password every time a personal certificate is requested and selected. Password should be different for every certificate, and should be requested when certificate is installed. User may deactivate security on a certificate by certificate basis (Prompted for password to deactivate). This function might not be globally deactivated, but browser may be configured not to put security on certificates by default (Not request a usage password when certificate is installed) Secured certificates should be protected, so they can't be used just by copying them to another profile. It's a new feature, but I think is a major security problem (a problem shared by any browser I know)
The central concern here is that you are using one profile to manage the credentials of several different people, and that will cause problems for many reasons (password manager conflicts, history disclosure, &c.) We cannot solve all these problems by prompting for passwords every time sensitive information is required, without making the experience quite unusable for typical users in a single-user environment. However, what you ask for is already possible in Firefox with a few changes. The first is to separate your users into different profiles. There is an article that describes this process here: http://support.mozilla.com/eu/kb/Managing+profiles This allows the members of your family to have firefox running on the same computer, without having access to, and conflicts with, the stored information of other users. Secondly, protect your profiles with a master password. Once your profile is protected with a master password, no one will be able to use your certificates until it is supplied. http://support.mozilla.com/eu/kb/Master+Password I believe that certain kinds of certificate stores (hardware tokens, etc) can be configured to require a password for every use, but that is outside of Firefox. Because of the support outlined above, though, and because we are unlikely to support continuous re-prompting, I believe this bug report can be closed.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.