Closed Bug 545498 Opened 11 years ago Closed 5 years ago

Provide Capabilities to Detect and Manage Root Certificate Inconsistencies

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: david, Unassigned)

Details

(Whiteboard: [psm-cert-manager])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100104 SeaMonkey/2.0.2
Build Identifier: 

When a user changes the trust bits on a root certificate contained in the user's NSS read-only cert database, that certificate is first copied into the user's personal cert database.  The changes are then made there.  Subsequent changes implemented by Mozilla to that certificate's trust bits may be installed in the user's NSS read-only cert database when the user updates the affected Mozilla (or Mozilla-related) product, but those changes do not override the settings in the user's personal cert database.  

When a user downloads and installed a root certificate, it is installed in that user's personal cert database, even if that same certificate is already installed in that user's NSS read-only cert database.  Subsequent deletion of such a root certificate by Mozilla would be reflected in the user's NSS read-only cert database when the user updates the affected Mozilla (or Mozilla-related) product, but that deletion does not override the presence of the root certificate in the user's personal cert database.  

Both of these situations result in an inconsistency between the user's NSS read-only cert database and the user's personal cert database.  Such an inconsistency creates a security vulnerability.  This RFE requests capabilities both to detect such inconsistencies and to allow the user to mitigate them.  

Reproducible: Always




See the discussion in mozilla.dev.security.policy under the subject "New wiki page describing how users can change settings of root", in the thread starting 1 February 2010.  The relevant messages in that thread started with mine dated 2 February.  

I suggest that checking for inconsistencies between cert databases should occur whenever the NSS read-only database is updated through the installation of an update to the affected application.  A warning popup dialogue should appear if an inconsistency is detected.  The popup should halt the installation until it is acknowledged.  The the popup should contain text that not only informs the user of the presence of inconsistencies but also advises the user to use the Certificate Manager to obtain details and resolve the inconsistencies.  

I also suggest a new button be added to the Authorities tab of the Certificate Manager window.  This button would detect and report inconsistencies between the cert databases, listing each affected certificate.  For each affected certificate, the listing would show the trust bit settings in each database, flag those root certificates that exist only in the user's personal cert database, and provide for deleting certificates from the user's personal cert database.  This would preserve the state of the NSS read-only database.  It would also allow the user to check for and resolve inconsistencies at any time (not merely during installation and without unduly complicating installation) and give the user the option for keeping the inconsistency.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Toolkit → Core
QA Contact: toolkit → psm
Per the thread "Unable to remove certificates permanently through options" in mozilla.dev.security.policy started today, the warning about inconsistency between the read-only NSS database and the user's database should appear whenever the user deletes a root certificate from the user's database and the corresponding certificate remains in the read-only NSS database.  Otherwise, the user will be misled into believing the certificate has indeed been deleted.  Note, however, there can be a good reason for such a deletion, which would restore the root certificate in the read-only NSS database as the one to be used.
Having read the newsgroup message "Root CAs in Add-ons" (Eddy Nigg, 03 Apr 2010 00:26:00 +0300, in mozilla.dev.security and policy,mozilla.dev.extensions), I suggest that the display of inconsistencies be generated whenever the user's certificate database changes.  This would alert the user to the possibility that malware has inserted a bogus root certificate.
(In reply to comment #2)
> This would alert the user to the possibility
> that malware has inserted a bogus root certificate.

Malware can do any number of things, such as attach a debugger to Firefox and cause it to skip the check.  You can't hope to defend against malware.
This might best be implemented in conjunction with bug 558222 since the
capability requested in that other RFE would be a useful option when resolving certificate inconsistencies.
Whiteboard: [psm-cert-manager]
Assignee: kaie → nobody
Certutil is of use only for Linux and possibly UNIX systems.  I am using Windows.
(In reply to comment #6)
> Certutil is of use only for Linux and possibly UNIX systems.  I am using
> Windows.

If you build NSS on Windows, you will get certutil, too.

You can use it with the console/terminal window.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
When you close a bug report as WontFix, PLEASE indicate why.  

As for comment #7, I am an end-user.  I was a computer programmer in the 1960s, but I then became a software tester.  Retired some 13 years now, I no longer "build" software.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Sorry for not explaining earlier. This bug is broadly specified and would require a significant amount of engineering effort to benefit only a few users. We won't be implementing this kind of feature in the foreseeable future. It may be appropriate as part of an add-on, however.

As for being able to obtain certutil, a prebuilt executable for Windows may be available in one of the zip files listed here: https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-release-win32/1461769032/
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.