Open
Bug 668362
Opened 13 years ago
Updated 2 years ago
Clearing SSL state without restarting session
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
NEW
People
(Reporter: Ricmacas, Unassigned)
Details
Regarding this question: https://support.mozilla.com/en-US/questions/843315 , it is possible that Firefox doesn't offer an option to clear the SSL state without resorting to a restart. I've thought of trying to use the "Active Logins" option under Clear Recent History to solve this issue, but I personally cannot verify this issue because I don't have access to any PKI-enabled website, however, after a brief conversation with dolske, I was suggested to file this bug. I've also been told by zzxc that he does not have any idea if there's any way to clear current SSL authentication tokens.
Comment 1•13 years ago
|
||
Ehsan, do you know if we clear (or otherwise disable) client certs when in private browsing mode? One interesting quirk here is that Clear Private Data will log out of the default security token (aka softtoken), in order to clear the "master password" state. We don't iterate over other tokens, though, so a smartcard in another slot would presumably stay logged in and active.
Reporter | ||
Comment 2•13 years ago
|
||
I can still ask the person to test, just to check if it would stay logged in and active.
Comment 3•13 years ago
|
||
(In reply to comment #1) > Ehsan, do you know if we clear (or otherwise disable) client certs when in > private browsing mode? No, we don't (see bug 475881). We can't really do that either (see bug 475881 comment 9). Why is that important here though? > One interesting quirk here is that Clear Private Data will log out of the > default security token (aka softtoken), in order to clear the "master > password" state. We don't iterate over other tokens, though, so a smartcard > in another slot would presumably stay logged in and active. I don't know much about this unfortunately.
Comment 4•13 years ago
|
||
(In reply to comment #3) > > Ehsan, do you know if we clear (or otherwise disable) client certs when in > > private browsing mode? > > No, we don't (see bug 475881). We can't really do that either (see bug > 475881 comment 9). Why is that important here though? Hmm, I phrased that poorly. The situation I'm wondering about is if you connect to https://bank.com and authenticate with a client certificate, then start private browsing, and then go to https://bank.com again. Are you still authenticated? Should you be? I actually don't know what currently happens here (even if you do that without starting private browsing in between).
Updated•11 years ago
|
Component: General → Security
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•