Working with multiple personal certificates - selecting one for the session



Core Graveyard
Security: UI
9 years ago
a year ago


(Reporter: Ivan Ivanov, Unassigned, NeedInfo)


Windows XP

Firefox Tracking Flags

(Not tracked)




9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009011913 Firefox/3.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009011913 Firefox/3.0.6

Currently there are two options in Tools/Options/Advanced/Encryption
When a server requests my personal certificate:
*Select one automatically   *Ask me every time
Automatic works fine with a single certificate but with more than one the user has to use the manual option. In the second case, the user is asked to select a certificate almost on every step of a transaction.

Reproducible: Always

Expected Results:  
If possible, would be better if the user is asked which certificate to use for the new session and after selection is done Firefox uses the selected certificate automatically while the session is active.
Interesting idea with some obvious use cases, but over to PSM for further discussion.
Assignee: nobody → kaie
Component: Security → Security: UI
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → ui
Version: unspecified → Trunk

Comment 2

9 years ago
See also
for lots of ideas and details around client auth and multiple certs.
We have other open bugs, but haven't been able yet to work on improvements.

Comment 3

9 years ago
In my particular case as an user there are two bank accounts managed from the same PC. One added lately. In automatic mode Firefox always takes the newer and session is broken with "Invalid certificate" message. It's obvious that fully automatic mode is quite a complicated task. Semi-automatic may be less difficult to accomplish. 
Sorry if I've written nonsense.

Comment 4

5 years ago
reassign bug owner.
Assignee: kaie → nobody

Comment 5

2 years ago

To me, this is more of a *bug* instead a feature request...

Even if just one personal cert is installed, also other, potentially unwanted uninvolved open https tabs will trigger the authentication request popup. In case of several open tabs, it's easy to accidentially clicking OK, thus sending the certificate to servers not supposed to get that kind of authentication information. 

This poses a privacy invasion in cases, where such servers usually only get pseudonyms + passwords (e. g. forums), but now are also receiving potentially personally identifyable information - just because of one accidential click.

If this also could pose securtiy implications, I can't judge.

To help avoiding such scenarios in the first place, though, it might help to enable personal certs being pinned to selected servers/domains on the first hit, thus preventing accidentially sending personal authentication information to other servers later on, where not applicable/unwanted.

This bug is not exactly NEW anymore... please prioritize this one soon!
Ivan - unless I'm misunderstanding, the current dialog has a checkbox you can check to make Firefox remember that decision for that site for your session. Is this the behavior you're looking for? Or are you saying Firefox should ask what certificate you want to use for every site for a session?

fettucini - it sounds like you're either seeing the master password dialog (known issue: bug 177175 etc.) or you're describing the fundamental privacy problem with client certificates (also known issue, but not easily solvable). In any case, this bug will probably not address your concerns.
Flags: needinfo?(drag_on_fly)
Last Resolved: a year ago
Resolution: --- → INCOMPLETE


a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.