If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Firefox does not compare the system date against a minimum constant value when using SSL

RESOLVED DUPLICATE of bug 783757

Status

Core Graveyard
Security: UI
RESOLVED DUPLICATE of bug 783757
5 years ago
a year ago

People

(Reporter: Johannes Roith, Unassigned)

Tracking

Trunk
x86
Mac OS X

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.10 Safari/537.11

Steps to reproduce:

My mom couldn't log into Google Mail and I tried to figure out the problem on the phone. It took 10 minutes until I finally figured out that the system date was set to a decade in the past.


Actual results:

The normal SSL error information appeared, probably with unhelpful information.


Expected results:

Firefox builds should embed a constant value that is generated at build time to define the date when the build was created. The system date should be compared against that value. If it is at least a few days older, the SSL error dialog should give a clear warning "Your system date is set to a date in the past!".

Furthermore, the way things are done currently seems to make an attack possible where the attacker resets the time using NTP in order to use expired SSL certificates ?! So maybe, the check against the constant value should be performed always and Firefox should block all SSL connections.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 783757
(Assignee)

Updated

a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.