Closed Bug 577689 Opened 14 years ago Closed 11 years ago

Do not store intermediate CAs in private browsing mode

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 769288
Tracking Flags:
Tracking Status
status2.0 --- ?

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

(Keywords: privacy, Whiteboard: [pb-paper]) 

Intermediate CAs downloaded in Private Mode for X.509 chain verification are still in the cert8.db after exiting Private Browsing Mode.  They shouldn't be!
So, I'm not sure where the code responsible for caching lives.  If one of you guys can show me where the code lives, I'm willing to write a patch!  :-)

Thanks!
It could be here, but not sure:
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp#3231, at least see where from it gets called if you have a test case.
(In reply to comment #2)
> It could be here, but not sure:
> http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp#3231,
> at least see where from it gets called if you have a test case.

No, that code is for importing certs that you download as web content and with a certificate mime type.

What you want is the place where we look at certificate chains during an SSL handshake.

File nsNSSCallbacks.cpp, function AuthCertificateCallback:

        // We have found a signer cert that we want to remember.
        nsCAutoString nickname;
        nickname = nsNSSCertificate::defaultServerNickname(node->cert);
        if (!nickname.IsEmpty()) {
          PK11SlotInfo *slot = PK11_GetInternalKeySlot();
          if (slot) {
            PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, 
                            const_cast<char*>(nickname.get()), PR_FALSE);
            PK11_FreeSlot(slot);
          }
        }
CCing johnath.
Whiteboard: [pb-paper]
Is that a problem yet? Does anyone know how to reproduce that?
http://hg.mozilla.org/mozilla-central/annotate/bcbe93f41547/security/manager/ssl/src/SSLServerCertVerification.cpp#l997
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.