Open Bug 994981 Opened 6 years ago Updated 4 years ago

certificate override manager has multiple usability issues with certificates that could act as CAs


(Core :: Security: PSM, defect, P3)





(Reporter: dsarratt, Unassigned)


(Whiteboard: [psm-backlog])

Visiting an HTTPS page with a self-signed certificate presents the user with a dialog to add a security exception. If the user chooses to add a permanent exception, and the certificate constraints say it is a Certificate Authority, Firefox will add the certificate as a trusted CA. I have confirmed this behaviour on both FF 28.0 on OSX 10.7.5 and FF 7.0.1 on WinXP.

It should not be possible to add a new CA unintentionally, and the exception dialog does not make it clear that the certificate is being trusted as a CA. Accepting any certificate in this manner should accept it only as a website identifier, not a CA.

Steps to reproduce:
1. Create a self-signed certificate with constraints allowing it as a CA.
2. Host an HTTPS website using this certificate.
3. Visit the page using Firefox, and add a permanent security exception for the certificate.
4. Go to Preferences -> Certificates -> View Certificates -> Authorities, and note that the self-signed certificate is now in the list of CAs.
Actual results: The certificate is permanently added to identify the server and as a CA.

Expected resuts: The certificate is permanently added to identify the server, but is not added as a CA.
David, Camilo, the problem as described seems really serious and we should treat it as such until we know otherwise. However, I doubt the problem is actually that serious. I suspect the problem is that the UI is confusing, not that we actually trust the certificate as a CA certificate. However, we need to verify this. Unfortunately, I will be unavailable to work on this until Monday at the earliest. Can one of you take it?
Severity: minor → major
Component: Security → Security: PSM
Flags: needinfo?(dkeeler)
Flags: needinfo?(cviecco)
Priority: -- → P1
Product: Firefox → Core
I can have a look.
Flags: needinfo?(dkeeler)
As suspected, this is a UI problem (well, more like many UI problems). The first issue is that, yes, the certificate manager identifies the certificate as potentially a CA, and so it displays it in the list of known CAs. The second issue is that that list gives no immediate indication that the CA cert in question is not trusted to issue other certificates (click "Edit Trust..." with that certificate selected - none of those boxes were checked when I reproduced this issue). Indeed, when I generated a certificate signed by the first certificate, Firefox did not trust it and presented the untrusted certificate dialog again. Another issue I noticed is that the Server tab in the certificate manager seems to think the certificate for the override hasn't been stored (I suspect because it thinks it's a CA cert, not an end-entity cert). I'm updating the summary to more accurately describe what I understand the problem to be.
Summary: Adding a permanent exception for a self-signed certificate will implicitly accept it as CA → certificate override manager has multiple usability issues with certificates that could act as CAs
Then this is not at bad as it appeared. Adjusting criticality.
Severity: major → normal
Flags: needinfo?(cviecco)
Priority: P1 → P2
Backlog => P3
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.