Closed
Bug 1277240
Opened 8 years ago
Closed 8 years ago
The Microsoft Family Safety certificate is still imported in the Authorities tab in the Certificate Manager
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla49
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | fixed |
People
(Reporter: sbadau, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160531030258
[Affected versions]:
- Nightly 49.0a1
[Affected platforms]:
- Windows 8.1
[Prerequisites]:
- have a Microsoft Child Account set up and running
- Install the latest Nightly on the Admin account
[Steps to reproduce]:
1. Log in on the Child Account
2. Launch Firefox with a new profile
3. Go to about:config, add the preference "security.family_safety.mode" and set it to "2"
4. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate
5. Navigate to Facebook
6. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate
7. Close Firefox
8. Reopen Firefox
9. Navigate to Facebook again
10. Go to about:preferences#advanced -> Certificates -> View Certificates -> search for the Microsoft Family Safety certificate
[Expected result]:
The Mozilla Family Safety certificate should not be imported into the Certificate Manager. Navigating to HTTPS sites should be allowed.
[Actual result]:
Navigation to Facebook in step 5 is not allowed -> the Insecure Connection message is displayed.
In step 6, the Microsoft Family Safety certificate shows as imported into the Certificate Manager.
After restarting Firefox the Microsoft Family Certificate is no longer present into the Certificate Manager and navigation to Facebook is allowed.
[Regression range]:
- I'll investigate and post the results as soon as possible.
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
|
|
Assignee | |
Comment 1•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/57346/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/57346/
Attachment #8759359 -
Flags: review?(cykesiopka.bmo)
|
|
||
Comment 2•8 years ago
|
||
Comment on attachment 8759359 [details]
bug 1277240 - don't import trust anchors in SaveIntermediateCerts
https://reviewboard.mozilla.org/r/57346/#review54266
Looks good!
(Although I leave it to simonab to confirm this fully fixes the issue.)
::: security/certverifier/NSSCertDBTrustDomain.cpp:1103
(Diff revision 1)
>
> return NS_ERROR_FAILURE;
> }
>
> void
> SaveIntermediateCerts(const UniqueCERTCertList& certList)
Maybe we should document that certList must always be a verified chain with the trust anchor at the tail, just so it's clear that the change here is correct.
Attachment #8759359 -
Flags: review?(cykesiopka.bmo) → review+
|
|
Assignee | |
Comment 3•8 years ago
|
||
https://reviewboard.mozilla.org/r/57346/#review54266
Thanks!
> Maybe we should document that certList must always be a verified chain with the trust anchor at the tail, just so it's clear that the change here is correct.
Sounds good.
|
|
Assignee | |
Comment 4•8 years ago
|
||
Comment on attachment 8759359 [details]
bug 1277240 - don't import trust anchors in SaveIntermediateCerts
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/57346/diff/1-2/
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb3f64c79e83
don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•