Open Bug 668362 Opened 13 years ago Updated 2 years ago

Clearing SSL state without restarting session

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: Ricmacas, Unassigned)

Details

Regarding this question: https://support.mozilla.com/en-US/questions/843315 , it is possible that Firefox doesn't offer an option to clear the SSL state without resorting to a restart.
I've thought of trying to use the "Active Logins" option under Clear Recent History to solve this issue, but I personally cannot verify this issue because I don't have access to any PKI-enabled website, however, after a brief conversation with dolske, I was suggested to file this bug.
I've also been told by zzxc that he does not have any idea if there's any way to clear current SSL authentication tokens.
Ehsan, do you know if we clear (or otherwise disable) client certs when in private browsing mode?

One interesting quirk here is that Clear Private Data will log out of the default security token (aka softtoken), in order to clear the "master password" state. We don't iterate over other tokens, though, so a smartcard in another slot would presumably stay logged in and active.
I can still ask the person to test, just to check if it would stay logged in and active.
(In reply to comment #1)
> Ehsan, do you know if we clear (or otherwise disable) client certs when in
> private browsing mode?

No, we don't (see bug 475881).  We can't really do that either (see bug 475881 comment 9).  Why is that important here though?

> One interesting quirk here is that Clear Private Data will log out of the
> default security token (aka softtoken), in order to clear the "master
> password" state. We don't iterate over other tokens, though, so a smartcard
> in another slot would presumably stay logged in and active.

I don't know much about this unfortunately.
(In reply to comment #3)

> > Ehsan, do you know if we clear (or otherwise disable) client certs when in
> > private browsing mode?
> 
> No, we don't (see bug 475881).  We can't really do that either (see bug
> 475881 comment 9).  Why is that important here though?

Hmm, I phrased that poorly.

The situation I'm wondering about is if you connect to https://bank.com and authenticate with a client certificate, then start private browsing, and then go to https://bank.com again. Are you still authenticated? Should you be?

I actually don't know what currently happens here (even if you do that without starting private browsing in between).
Component: General → Security
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.