Closed Bug 680008 Opened 13 years ago Closed 10 years ago

window.crypto.logout can be abused to DoS many aspects of the browser

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1030963

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [sg:low]) 

1. window.crypto.logout blows away the entire SSL session cache, even for sites unrelated to the current window. Instead, only the session cache entries relevant to the current window should be removed.

2. window.crypto.logout logs the user out of any/all PKCS#11 modules he is logged into. An open web page can abuse this to make Firefox unusable for any (other) site that uses SSL client authentication with smartcards. It may also be able to make Firefox unusable when a master password is used.

3. window.crypto.logout clears any temporary cert error overrides that the user has set. This should not happen.

4. window.crypto.logout clears all the settings for what client certificate to use by default for all websites, not just the site in the current window/tab. This should not happen.

5. window.crypto.logout seems to terminate every SSL connection in the browser. This could be used to DoS any SSL connection. In particular, this could be used to prevent browser updates from downloading. This should not be allowed.
Wow. Some work needed here...!

Gerv
Mostly a (really bad) sg:dos, but some of the logging-out could lead to people making attacker socially-influenced decisions on the reconnect.
Whiteboard: [sg:low]
Group: crypto-core-security
Group: crypto-core-security
This will be "fixed" when bug 1030963 lands.
Depends on: 1030963
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.