Closed Bug 1106128 Opened 10 years ago Closed 9 years ago

FF/etc. add all CA certs that they encounter to their CA store (though they don't trust them)

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 733232

People

(Reporter: calestyo, Unassigned)

Details

Apparently, Firefox, Thunderbird and friends add any certificate they encounter (during browsing, etc.) which is a certificate authority to their CA store, regardless of whether there is a higher level CA which is already trusted(!) or not.

These certs/CAs show up as in the "Sofrware Security Device" and are not trusted(!).


So the issue is not really a security issue, but it completely clutters up the CA store, which all kinds of CAs which aren't trusted anyway:

- either not trusted at all (since they're top-root CA and not trusted) or since they have not higher level CA which is trusted)

- or not explicitly manually marked as being trusted (in the case they have a higher level CA which *is* trusted)


It would be IMHO better if those CAs are not stored permanently, it just clutters up the list and makes CA management much more difficult.
Actually it also leads to one bigger bug, but I'll report that one separately.


Cheers,
Chris.
Thanks for the report. This is basically a request to fix Bug 733232.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.