Closed
Bug 474958
Opened 16 years ago
Closed 16 years ago
consider not allowing web sites to silently install user certificates
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 251690
People
(Reporter: guninski, Unassigned)
Details
Attachments
(5 files, 3 obsolete files)
visiting a web page may result in installing a user certificate. the only signs of installation is a dialog "your certificate was installed |OK|" - the only active UI element is the OK button, no way to disallow it. so this allows the user to have zero or more certificates in names like: - psycho user - obama - laden clearly this is at least a joke mocking the user, yet it may not be considered a joke in some parts of the world. how to reproduce: (don't have a fully automated cgi, it needs some manual steps). 1. the key generation is via <keygen name="pubkey" challenge=""> in a form. see gen1.html 2. the client generates key and sends a SPKAC request to the server 3. when one gets the SPKAC value create a request like: SPKAC=$CLIENTVALUE CN=psycho user 4. sign the request with openssl. assuming one have working openssl CA the command is: openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac ./spak1.txt -out spaksign.pem where spak1.txt is the result from step 3. 5. [4] produces a cert. serve the cert to the client with content type: application/x-x509-user-cert 6. the cert is installed, user clicks the only button |ok|
Reporter | ||
Comment 1•16 years ago
|
||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Updated•16 years ago
|
Group: core-security
Comment 3•16 years ago
|
||
I'm attaching more samples to this bug.
Comment 4•16 years ago
|
||
Comment 5•16 years ago
|
||
Comment 6•16 years ago
|
||
Attachment #372340 -
Attachment is obsolete: true
Comment 7•16 years ago
|
||
Attachment #372341 -
Attachment is obsolete: true
Comment 8•16 years ago
|
||
Comment 9•16 years ago
|
||
Attachment #372342 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•