Closed Bug 474958 Opened 16 years ago Closed 16 years ago

consider not allowing web sites to silently install user certificates

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 251690

People

(Reporter: guninski, Unassigned)

Details

Attachments

(5 files, 3 obsolete files)

gen1.html - key generation and request
179 bytes, text/html
Details
Sample RSA keygen tag use showing form POST output
268 bytes, text/html
Details
Sample DSA keygen tag use WITH PQG params, showing POST
670 bytes, text/html
Details
Sample DSA keygen tag use WITHOUT PQG params, showing POST
269 bytes, text/html
Details
Sample EC keygen tag use showing form post output
295 bytes, text/html
Details 
visiting a web page may result in installing a user certificate.
the only signs of installation is a dialog "your certificate was installed |OK|" - the only active UI element is the OK button, no way to disallow it.

so this allows the user to have zero or more certificates in names like:
- psycho user
- obama
- laden

clearly this is at least a joke mocking the user, yet it may not be considered a joke in some parts of the world.

how to reproduce:
(don't have a fully automated cgi, it needs some manual steps).

1. the key generation is via
<keygen name="pubkey" challenge="">
in a form.
see gen1.html
2. the client generates key and sends a SPKAC request to the server
3. when one gets the SPKAC value create a request like:
SPKAC=$CLIENTVALUE
CN=psycho user
4. sign the request with openssl. assuming one have working openssl CA the command is:
openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac ./spak1.txt -out spaksign.pem
where spak1.txt is the result from step 3.
5. [4] produces a cert. serve the cert to the client with content type:
application/x-x509-user-cert
6. the cert is installed, user clicks the only button |ok|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Group: core-security
Attached file Sample RSA keygen tag use (obsolete) — 
I'm attaching more samples to this bug.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: