Closed Bug 474958 Opened 12 years ago Closed 12 years ago

consider not allowing web sites to silently install user certificates

Categories

(Firefox :: General, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 251690

People

(Reporter: guninski, Unassigned)

Details

Attachments

(5 files, 3 obsolete files)

visiting a web page may result in installing a user certificate.
the only signs of installation is a dialog "your certificate was installed |OK|" - the only active UI element is the OK button, no way to disallow it.

so this allows the user to have zero or more certificates in names like:
- psycho user
- obama
- laden

clearly this is at least a joke mocking the user, yet it may not be considered a joke in some parts of the world.

how to reproduce:
(don't have a fully automated cgi, it needs some manual steps).

1. the key generation is via
<keygen name="pubkey" challenge="">
in a form.
see gen1.html
2. the client generates key and sends a SPKAC request to the server
3. when one gets the SPKAC value create a request like:
SPKAC=$CLIENTVALUE
CN=psycho user
4. sign the request with openssl. assuming one have working openssl CA the command is:
openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac ./spak1.txt -out spaksign.pem
where spak1.txt is the result from step 3.
5. [4] produces a cert. serve the cert to the client with content type:
application/x-x509-user-cert
6. the cert is installed, user clicks the only button |ok|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 251690
Group: core-security
Attached file Sample RSA keygen tag use (obsolete) —
I'm attaching more samples to this bug.
You need to log in before you can comment on or make changes to this bug.