Open Bug 803975 Opened 12 years ago Updated 2 years ago

Thunderbird promises to remember certificate selection, but doesn't

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
15 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: tlhackque, Unassigned)

References

Details

(Whiteboard: dupme) 

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPDTDF; .NET4.0C; .NET4.0E)

Steps to reproduce:

Open TB and let it connect to IMAP servers that request a client X.509 certificate.   (I have several valid client certificates installed, though not all work with all servers.  I also use several servers.)

Under "Options->Advanced->Certificates", I have "ask me every time" selected, because the servers don't all send accurate "acceptable CAs" lists with their requests.



Actual results:

TB asks which certificate should be sent.  In some cases, I select a certificate for that server.  In others, I don't want a certificate sent, so I click Cancel.   (The server doesn't like the ones I have, but doesn't insist on receiving one).

In all cases, I check the "Remember this decision box".

TB does what it's told, BUT the next time I open TB, I get the certificate selection dialog again for each server.


Expected results:

a) TB should have remembered my choice -- including the "Cancel" choice to send no certificate -- across TB sessions.  An explicit "remember this decision for this server" checkbox should take priority over a general "ask every time".

b) It might be clearer if the dialog had an explicit "Don't send a certificate to this server" option, rather than "Cancel".

c) Once TB remembers these decisions, there needs to be a way (under account options server settings or security) to view and change/revoke them.
This still happens with TB 16.0.1
I have seen this situation when multiple servers are used behind a single DNS-name (for loadbalancing reasons), but some of them have different certificates installed.
Whiteboard: dupme
In my case, one IMAP server is on my LAN - it provides the same certificate every time.  My SMTP server also has exactly one server and one certificate.  It also re-prompts once/session.

Another IMAP server exhibiting this is a corporate IMAP server that only talks to me if I click "Cancel"; a certificate is optional, but if provided must be one that it likes (and I don't have on the TB machine).

In the case that Jo mentioned, the different server certificates would each have to cover the DNS name.  (E.G. be wildcard or have alternative names).  I think that TB should remember my decision based on the DNS name - either I want to provide a client certificate to that *server* or I don't.  I shouldn't have to re-specify when the server's certificate is replaced (when it expires, or is revoked or upgraded or...)  

But even if TB remembers decisions based on the certificate of the requesting server, TB should actually remember my decision.  It currently does not - even in the simple case of the servers on my LAN, where there is no load-balancing or other trickery...
do you still see this
Component: Untriaged → Security
Flags: needinfo?(tlhackque)
I last saw this about 6 months ago.  I stopped using the corporate server at that time.  All my local servers use the same (user) certificate.  So it's possible that the issue arises when one has multiple servers, some of which share a (user) certificate and at least one other has a unique certificate requirement.

If that's the case, it would indicate that the certificate choice is somehow held per-user rather than per-server.  That would explain the multiple prompts.

In my case, the corporate server wanted a corporate-issued certificate; my local servers wanted a locally-issued one.  The corporate server requested, but didn't require a certificate.  My "cancel" decision wasn't remembered.

At the moment I don't have the ability to reproduce the previous environment.

I hope this helps.
> Under "Options->Advanced->Certificates", I have "ask me every time"
> selected, because the servers don't all send accurate "acceptable CAs" lists
> with their requests.
> 
> [...]
> 
> In all cases, I check the "Remember this decision box".
> 
> TB does what it's told, BUT the next time I open TB, I get the certificate
> selection dialog again for each server.
> 
> 
> Expected results:
> 
> a) TB should have remembered my choice -- including the "Cancel" choice to
> send no certificate -- across TB sessions.  An explicit "remember this
> decision for this server" checkbox should take priority over a general "ask
> every time".

I would guess that this dialog is inherited from the browser context.

When "Ask me every time" is checked (as a preference), does the Remember box (in the popup dialog) mean "Remember for this session"? That might make some sense in the browser context, and would justify that it is checked by default (which otherwise it shouldn't be), although note that passwords (in both browser and e-mail contexts) are ALWAYS remembered for the session.

What does it mean if "Ask me every time" is not checked?

Perhaps the wording of the Remember box (and even its existence in the "Ask me every time" case) should be reconsidered.

Should the scope of this bug be increased beyond Thunderbird?

> b) It might be clearer if the dialog had an explicit "Don't send a
> certificate to this server" option, rather than "Cancel".

Yes. I would be stronger: as a rule of interface semantics, the effect of Cancel should never depend on what selections have been made in the cancelled dialog; in particular, the Remember box should have no effect if Cancel is pressed; but we might want to remember the choice of no certificate.

> c) Once TB remembers these decisions, there needs to be a way (under account
> options server settings or security) to view and change/revoke them.

Again, is this also true beyond Thunderbird?
If the questions are directed to me, I don't have many answers.

I experienced the issue with thunderbird.  I don't know about its internals.

It seems to me that "I don't want to send a cert to this server" is something that I ought to be able to specify.  Permanently, or "just this time".

That capability doesn't seem to be there today.  I don't have a strong opinion on exactly how it should be offered in the UI; just that it should be possible.

As I noted, I no longer use the server that was giving me grief.

This ought to be fixed, but until some other server exhibits the behavior it's no longer impacting me.

As for "beyond thunderbird"; I could imagine a webserver behaving the same way ("Cert optional", user doesn't have an acceptable one).  I don't have a concrete example at hand.  If this is common code, yes, browsers should have the same capability.
Flags: needinfo?(tlhackque)
Can you test the behaviour with "Ask me every time" deselected?
Thanks for filing the bug. It looks like the requests here are already filed, so I'm going to make this bug a dupe of Bug 634697.

(In reply to tlhackque from comment #0)
> a) TB should have remembered my choice -- including the "Cancel" choice to
> send no certificate -- across TB sessions.

The component responsible for remembering client certs is shared, so the core issue being reported here affects e.g. Firefox as well (see Bug 634697).

> b) It might be clearer if the dialog had an explicit "Don't send a
> certificate to this server" option, rather than "Cancel".

I think I saw a bug filed for this somewhere already. I can't find it right now, sorry.

> c) Once TB remembers these decisions, there needs to be a way (under account
> options server settings or security) to view and change/revoke them.

Seems to already be filed as Bug 1074830.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Thanks for finding this.

I think for Thunderbird purposes it will help to keep this open until the core issue is fixed. Marking dependency.
Status: RESOLVED → REOPENED
Depends on: 634697
Ever confirmed: true
Resolution: DUPLICATE → ---
I'm seeing this on OSX Daily 48.0a1 (2016-03-28).

"ask me every time" selected

Platform -> All?

The dependency has been resolved but this is still happening by default because "Ask me every time" is selected by default instead of "Select one automatically," should the default be changed?

In the time this has been open, I've left the corporate world and don't deal with the corporate servers any more :-)

As for the default - it should be consistent with other places that request a certificate decision - e.g. Firefox. I think it was mentioned that the dialog is common.

Default is also ambiguous. For FF, there is a global option "select one automatically" or "ask every time", which is a default when accessing a new site. That's distinct from the default selection when a dialog comes up for a site. (Due to ask, or automatic fails.) I assume you mean the latter, since TB doesn't have (so far as I know) a global default.

My personal preference would be "Select one automatically", since that is likely to work for most people most of the time.

RE: .6-.7 - I do have examples of websites with "certificate optional" whose behavior is complicated. In one case, if you provide a certificate, you get admin privileges; if you don't you're an ordinary user. Thus, if you want to test the UI, you definitely need a "just this session" option.

In another case, you log-in to get a new certificate. Consider a name or role change. Even if you have a certificate for the old name/role, you don't want to provide it so that you will go through the new certificate flow. If you end up with multiple roles (and certs), you need to select the correct one each time.

A third case is where you have a certificate that matches and is unexpired - but the server rejects it (perhaps revoked, which the client doesn't check). Here, you want to revoke the "remember this forever" decision.

For web sites, I handled this with the very awkward "solution" of multiple accounts on the client and/or using different browsers for different servers...

As in .0, I still conclude that for all platforms, the user choices ought to be "Select one automatically", "Use this one", "Don't send any" and, orthogonally, "just for this 'session'" or "remember this choice". And if remembered, they needs to be a UI option to "forget" and/or change that choice. "Server Settings" under "Security settings" when "TLS Certificate" is selected would seem to be a good place to see/update the remembered choice. (See bug 1657588, bug 1657591)

See Also: → 1657588, 1657591
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.