Open Bug 665606 Opened 13 years ago Updated 2 years ago

[idea] Certificate abuse with root CA is too easy

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: kevin, Unassigned)

Details

(Keywords: uiwanted) 

User-Agent:       Mozilla/5.0 (X11; SunOS i86pc; rv:5.0) Gecko/20100101 Firefox/5.0
Build Identifier: Mozilla/5.0 (X11; SunOS i86pc; rv:5.0) Gecko/20100101 Firefox/5.0

With all recent builds of Firefox, tricking a user into accepting a self-signed certificate is quite a hassle. There is the familiar two-step process of the warning page (http://cmi0814604.student.cmi-hro.nl/mozilla/ff5certwarn1.jpg) and the confirmation page (http://cmi0814604.student.cmi-hro.nl/mozilla/ff5certwarn2.jpg). 

The user is given a clear explanation about the dialog, and the user therefor is aware of the consequences of adding such an exception. 

When pushing a root CA to a client, this situation changes. Users are confronted with a minimal dialog (as can be seen here: http://cmi0814604.student.cmi-hro.nl/mozilla/ff5rootca.jpg). Of course, the more technical people will know they are doing something potentially disastrous, but this won't be the case with the average computer user. They will, most likely, not understand what this is about. 

When a user is, for example, connected to some open access point, it regularly happens that there is some kind of "guidelines" page telling the user about the rules of the hotspot. When this concerns a rogue access-point, a potential attacker can use such a page with instructions on how to add a self signed certificate (with a fancy issuer name) to the Firefox installation. 

My guess is that most users would blindly accept this claim, and therefore have lost a lot of the protection of certificates. The rogue access point can generate certificates for every website that's visited, and they will all be accepted by the client. 

This hypothesis seems to be supported by asking around with some non-technical people around me. I figured this should at least be discussed here at Mozilla, so here's the idea. 

Reproducible: Always
And I still forget the conclusion of my little argumentation. Why isn't there a clearer warning to the end user when a root certificate is added. It seems to me that a larger warning than with a single certificate is in place, given the consequences of accepting a new root CA.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.