Closed Bug 883682 Opened 7 years ago Closed 7 years ago

Test EV certificate is enabled for EV outside of testing

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 + fixed
firefox24 + fixed
firefox-esr17 --- wontfix
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: briansmith, Assigned: cviecco)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main23-])

Attachments

(1 file)

When we added the test EV certificate in bug 864633, we were supposed to make it so that the test EV certificate is enabled only when an environment variable is set, and then change the test suite so that that environment variable is set.

However, it seems we forgot to add all the stuff regarding the environment variable. Consequently, we seem to be giving EV status to the test certificate when we shouldn't.

Since that landed in mozilla23, the fix for this bug will also have to be uplifted to mozilla23.

sec-moderate based on dveditz's re-rating of other address bar spoofing bugs I've rated previously.
Proposal 1: put ev only for debug builds (notice that users still need to add the cert)
Attachment #770480 - Flags: review?(brian)
Comment on attachment 770480 [details] [diff] [review]
disable for non-debug

Review of attachment 770480 [details] [diff] [review]:
-----------------------------------------------------------------

I r+d this because we need a simple patch to uplift to -aurora and -beta.

We should figure out a real solution to this that lets us test the EV functionality in release builds too, by using an environment variable or similar to enable/disable the EV trust for the test cert.
Attachment #770480 - Flags: review?(brian) → review+
Can we get uplift nomination for this beta/aurora simplified patch?
Flags: needinfo?(cviecco)
Merged to Central

https://hg.mozilla.org/mozilla-central/rev/77a5ea5dc277
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(cviecco)
Resolution: --- → FIXED
Comment on attachment 770480 [details] [diff] [review]
disable for non-debug

[Approval Request Comment]
This is a potential security issue for users as it is possible to import a test certificate key and have it displayed as EV verified. 

Bug caused by (feature/regressing bug #): This was caused by a test in bug 864633 where to test that we actually display EV when needed.

User impact if declined: If declined an attacker that tricks the user into insalling the test certificate and can have certs shown as EV signed by 'Mozilla - EV debug test CA'.

Testing completed (on m-c, etc.): Yes, landed on central.
Risk to taking this patch (and alternatives if risky): Not much, this patch just removes a entry in a list.

String or IDL/UUID changes made by this patch: None needed.
Attachment #770480 - Flags: approval-mozilla-aurora?
Comment on attachment 770480 [details] [diff] [review]
disable for non-debug

[Triage Comment]
We need this on Beta too - please re-nom if this patch doesn't apply cleanly and a different patch is needed.
Attachment #770480 - Flags: approval-mozilla-beta+
Attachment #770480 - Flags: approval-mozilla-aurora?
Attachment #770480 - Flags: approval-mozilla-aurora+
Whiteboard: [adv-main23-]
Group: crypto-core-security → core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.