Open Bug 797678 Opened 12 years ago Updated 2 years ago

Remove all certificate error overrides for a host when we successfully verify a certificate for a host

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

People

(Reporter: briansmith, Unassigned)

Details

(Keywords: ux-error-recovery, Whiteboard: [psm-backlog]) 

+++ This bug was initially created as a clone of Bug #795771 +++

One of the problems with our permanent certificate override feature is that it is very easy for the user to create a permanent override that persists even after the override isn't needed any more. If an attacker can convince a user to permanently override a certificate error for his bogus certificate, then he gains the ability to silently MITM the user forever.

If we were to remove the certificate override when we detect a valid certificate, then we'd be automatically undoing our mistake. That seems like a good thing.
I don't think I'm disagreeing yet, but how do you feel about the case where a laptop or mobile user adds an exception for a captive portal at their coffee shop, but the site otherwise presents a legit cert? Is that a case we want to care about?
I was thinking about the permanent certificate override yesterday, and thought there was a usability problem with it too. To frame what bsmith has said in user terms, the user has no way of easily remembering whether he has access to a site because he's added an exception for the certificate, or because the certificate is valid. 

Sure, we probably have some place we list exceptions (I'm not sure where), and I can't remember if we change the Site Indicator icon to some kind of warning icon, but these aren't very obvious indicators.

This bug might not be the right place to put it, but I've been thinking about design mechanisms to indicate that there's something not right with the site. I bring this up because maybe there are other ideas besides removing the certificate override.

One idea I had (a bit clunky, but a good starting point for a brainstorm), was whether we could change some part of the browser window to indicate that this wasn't quite your regular site. Something more significant than just an icon: maybe part of the browser chrome could turn yellow or something. Your theme could turn darker, as in "dark alley". I've been experimenting with how we might bring some real-world cues for "unsafe" into the digital world, without reducing them to mere icons.

Of course, the problem with this kind of approach is that it relies on the user to interpret the indicator and know what action to take. But I just wanted to let you guys in on some of my early thoughts :)
(In reply to Johnathan Nightingale [:johnath] from comment #1)
> I don't think I'm disagreeing yet, but how do you feel about the case where
> a laptop or mobile user adds an exception for a captive portal at their
> coffee shop, but the site otherwise presents a legit cert? Is that a case we
> want to care about?

We should not be showing the cert error override page for this case; that's bug 562917 + better UI for when we've detected the captive portal.

(In reply to Larissa Co from comment #2)
> One idea I had (a bit clunky, but a good starting point for a brainstorm),
> was whether we could change some part of the browser window to indicate that
> this wasn't quite your regular site. Something more significant than just an
> icon: maybe part of the browser chrome could turn yellow or something. Your
> theme could turn darker, as in "dark alley". I've been experimenting with
> how we might bring some real-world cues for "unsafe" into the digital world,
> without reducing them to mere icons.

I think making it more obvious that a certificate error override is in effect is a good idea. But, whether we want it to be indicating "warning" or whether we want it to be more neutral is something that requires more discussion. In some ways, our permanent certificate override mechanism is designed specifically to avoid blaring "warning" because (at the time it was designed) we thought that would be better for the cases we expected it to be used in.
Whiteboard: [psm-backlog]
(In reply to Johnathan Nightingale [:johnath] from comment #1)
> I don't think I'm disagreeing yet, but how do you feel about the case where
> a laptop or mobile user adds an exception for a captive portal at their
> coffee shop, but the site otherwise presents a legit cert? Is that a case we
> want to care about?

Maybe only automatically remove the certificate error override when it was not used for a certain amount of time? e.g. 1 month

This means:
- A user added an exception for a host that was misconfigured and that host has since corrected the issue
  => the exception will be automatically removed after 1 month
- A user visited a misconfigured host and added an exception, the host continues to be misconfigured
  => if the user doesn't visit the host for over 1 month the exception will automatically be removed otherwise it stays
- A user was once in a network that intercepted the connection and the user added an exception
  => if the user doesn't use the network which intercepts the connection for over 1 month the exception will be removed otherwise it stays

This would be a compromise between removing old probably unneeded exceptions and not annoying users that frequently switch networks (where some of them intercept connections).
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.