Closed Bug 680008 Opened 10 years ago Closed 7 years ago
.crypto .logout can be abused to Do S many aspects of the browser
1. window.crypto.logout blows away the entire SSL session cache, even for sites unrelated to the current window. Instead, only the session cache entries relevant to the current window should be removed. 2. window.crypto.logout logs the user out of any/all PKCS#11 modules he is logged into. An open web page can abuse this to make Firefox unusable for any (other) site that uses SSL client authentication with smartcards. It may also be able to make Firefox unusable when a master password is used. 3. window.crypto.logout clears any temporary cert error overrides that the user has set. This should not happen. 4. window.crypto.logout clears all the settings for what client certificate to use by default for all websites, not just the site in the current window/tab. This should not happen. 5. window.crypto.logout seems to terminate every SSL connection in the browser. This could be used to DoS any SSL connection. In particular, this could be used to prevent browser updates from downloading. This should not be allowed.
Wow. Some work needed here...! Gerv
Mostly a (really bad) sg:dos, but some of the logging-out could lead to people making attacker socially-influenced decisions on the reconnect.
10 years ago
10 years ago
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1030963
You need to log in before you can comment on or make changes to this bug.