Open Bug 851707 Opened 9 years ago Updated 3 years ago

Do not surface the certificate manager in our UI

Categories

(Firefox :: Preferences, defect)

defect
Not set
normal

Tracking

()

People

(Reporter: limi, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug, )

Details

The certificate manager is immensely complicated, and allows people to shoot themselves in the foot in all sorts of interesting ways.

We should not include it in our product, it should be an add-on for people who need it.

(the possible exception is the personal certificate list)
(In reply to Alex Limi (:limi) — Firefox UX Team from comment #0)
> The certificate manager is immensely complicated, and allows people to shoot
> themselves in the foot in all sorts of interesting ways.

Which ways are those? This seems too broadly worded to know whether we've succeeded. 

We likely need to keep some form of certificate managing UI, though I agree it could be drastically cleaned up/simplified.
Some people (including me) think that CA pinning + HSTS + revocation negates the need for a CA UI.

One bugaboo is the enterprise environments that MITM their users by policy need a way to manage this otherwise certs will break for everyone in their network (https://bugzilla.mozilla.org/show_bug.cgi?id=800882#c6)
The personal certificate list is the thing that *definitely* should be removed. It is an easy case to make that we should just use the operating system's personal certificate store instead of our own.

I am the module owner of security/manager which is where this stuff currently lives. Generally, I support the idea that we should remove this UI from the product. However, there are some features of this UI that should be moved to more sensible places or otherwise redone, instead of being outright removed.

For example, if you add a certificate error exception, the only way to undo that is through the certificate manager UI. Instead, we should provide a different (and more discoverable) UI for undoing the exception.

There are a surprisingly large number of organizations that have their own CAs and/or use things like "Microsoft Threat Management Gateway." These products require the ability to add/remove custom CAs. And, because of something called "Strict Transport Security," the cert error override mechanism cannot really be used for this anymore, as was (is?) commonly done by users of Firefox.

In fact, those kinds of use cases are why we will eventually have to have some (hopefully simpler and hidden) certificate manager UI for B2G and Fennec.

 Again, it is possible to delegate this to the operating system (except on B2G and probably Android), but that has a lot of implications regarding Mozilla's certificate policy, and so there are a lot of stakeholders there.

So, I think as far as "checkboxes that kill" goes, this is one of the harder items to pull off, both politically and technically. It doesn't mean that we shouldn't do it. I'm generally in favor of it, and have advocated it in the past in NSS/PSM team meetings.
Component: General → Preferences
Steve Gibson is relying on the hashes being accessible for his "fingerprinting" page, see https://www.grc.com/fingerprints.htm
Please don't underestimate the backlash that would result from removing that accessibility.
Also, for example, if I want to generate an S/MIME cert for my email address to use it with the Bugzilla Secure Mail functionality, and I create that with StartSSL, the steps on their stie make Firefox import the cert into its cert store (where I need it to be able to log into StartSSL into the future anyhow). Then I need to go to the certificate manager, export the cert with the "Backup" function and import it into e.g. Thunderbird so that the email client is able to decrypt the bugmails that come encrypted.

So there's surely things for which the cert manager is needed and helpful.

Note that recently, we even added some cert management UI to Firefox for Android because people couldn't even add e.g. the CAcert root cert, which some people want/need, though.


I'm all for removing any footguns though and/or making this UI less complicated, though.
Removing all kind of advanced options for the sake of simplicity is overkill IMO. Regular Joe's who don't understand it will likely never open the options anyway, let alone advanced options like this.
Depends on: 1116593
You need to log in before you can comment on or make changes to this bug.