488485 - "CA Certificate already installed" prompt should have option to edit trust settings

Status: NEW

(Core :: Security: PSM, defect, P5)

Description

[Arthur Prokosch]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

When downloading a new certifying authority in .cer format, the certificate installation dialog presents three checkboxes for trust settings, but does not require that any of the boxes are checked YES before an "OK" action.  If the certificate is not trusted, I do not see what purpose installing it could possibly serve (and thus would suggest only allowing "Cancel" until at least one box is checked).

An "installed" certificate without any trust not only fails to allow proper access to our local web services, but prevents subsequent attempts to (re)load the CA from succeeding ("This certificate is already installed as a certificate authority.")

Additionally, I see no difference in SSL behavior, error messages, or ability to add exceptions when connecting to servers with certificates issued by _installed_ but _untrusted_ CAs, versus those _not installed at all_.  Specifically, accessing <https://inquir.csail.mit.edu/> yields "sec_error_untrusted_issuer," and allows an exception to be created, in both cases.

Reproducible: Always

Steps to Reproduce:
1. Open Location: <http://ca.csail.mit.edu/cacert/master.cer>
2. leave all "Trust this CA to identify..." boxes UNchecked
3. Click OK
Actual Results:  
Certificate is installed, but completely untrusted.
Subsequent attempts to re-install the certificate yield "This certificate is already installed as a certificate authority." and can only be dismissed with a no-op "OK".

Expected Results:  
Step 3. should be impossible - shouldn't be able to install certificate without granting it _some_ sort of trust.

If there is a subtle reason why the above needs to be possible, I would suggest that when subsequent attempts to re-install a certificate yield the "already installed" message, an additional option (button) is presented, to allow "Edit its trust settings."

This behavior occurs across platforms in 3.0.x and earlier.  (Mac OS, Windows x86, Ubuntu 8.10, Debian Lenny/iceweasel)

While it is possible to obtain desired behavior from any firefox browser (to work around this behavior), it is a source of a noticable portion of our help desk traffic at our site.  I consider this a relatively severe UI/workflow bug.

Comment 1

[Johnathan Nightingale [:johnath]]

We don't particularly want to make it easier for users to trust an arbitrary CA to identify web pages, since it sets them up for a reasonably terrible man in the middle attack scenario. The dialog defaults to a safe, albeit confusing, setting and disabling the OK button would encourage MORE users to give it trust (probably all trust) which would ease your tech support burden, but also that of the would-be attacker.

On the other hand, the error message that says already installed offering to edit trust settings makes sense to me.  It's clear at that point that the user is trying to do a thing, to solve a problem, and while that could be a persistent attacker, we can't really expect to foil a persistent victim with endless confirmation boxes.  That part bears further discussion, at least.

Moving to the right component (don't worry, no one gets bugzilla components right :) for that discussion, and morphing the summary to match the part of this RFE that isn't WONTFIX.