Closed
Bug 406559
Opened 17 years ago
Closed 11 years ago
CRLs are imported without asking user for confirmation
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: mads, Unassigned)
References
()
Details
(Whiteboard: [psm-crl])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071126 Fedora/2.0.0.10-1.fc8 Firefox/2.0.0.10 pango-text
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071126 Fedora/2.0.0.10-1.fc8 Firefox/2.0.0.10 pango-text
If a user clicks the "root.crl" link on http://www.apple.com/certificateauthority/ it is imported without confirmation from the user.
I assume that adding bogus CRLs to the users browser can have security implications. By the nature of CRLs it will probably be DOS kind of problems. Adding a lot of CRLs will create a local DOS. Perhaps it will be possible to block access to sites.
Reproducible: Always
Steps to Reproduce:
1. just follow link to http://www.apple.com/certificateauthority/root.crl
Actual Results:
CRL can be found in firefox's CRL list
Expected Results:
User should be told what implications adding the CRL will have, and the user should be asked for confirmation.
Comment 1•17 years ago
|
||
CRLs are signed by their issuers, so it is not possible for a malicious party to publish a CRL which will, for instance, revoke amazon.com's certificate - only amazon.com's issuer can do that.
The only opportunities for attack I see here are either the network hit of fetching these things or the general contamination of the CRL DB with useless junk, which isn't a *terribly* compelling attack anyhow. I'm going to bounce this to PSM for comment, in case I'm crazy, but in any event it doesn't need to be secret, since our behaviour here is known and by design.
Assignee: nobody → kengert
Group: security
Component: Security → Security: PSM
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → psm
Hardware: PC → All
Comment 2•17 years ago
|
||
I guess this bug is invalid, but cc'ing Bob and Nelson.
It's our intention to import CRLs when clicked.
Comment 3•17 years ago
|
||
The CRL is imported but automatic CRL updating is not enabled, by default.
What happens when the CRL expires?
Is this effectively a DOS?
Comment 4•17 years ago
|
||
You can't import an invalid CRL (including an expired one), but if the CRL you have later expires, then it currently is a DOS.
bob
Comment 5•17 years ago
|
||
There are several APIs available to import CRLs, PK11_ImportCRL and SEC_NewCrl . The former verifies the CRL optionally, and the later does not. AFAIK, PSM uses the later. It always imports CRLs without verifying them. This can create DOSes.
In order for PSM to successfully do the CRL verification at import time, it would be required to save intermediate certs. So, right now, it blindly stores them in the token, and the failure may be seen later at verification time.
Comment 6•17 years ago
|
||
Also, CRLs don't expire. ;) Only the NIST CRL policy considers the nextUpdate as an expiration date. By default we don't follow that policy so there should be no DOS due to "expiration".
In any case, the reporter is correct that CRLs are imported without asking the user. I would say it was done by design in PSM rather than a bug, though (since the CRLs can't be verified without intermediates). If can change PSM to check the CRL validity before import, it will have to obtain the cert chain from somewhere.
Maybe an AIA or SIA extension in a CRL ?
I am not sure if this is in current RFCs, though. It's not in RFC3280 at least.
Updated•17 years ago
|
Summary: CRLs seems to be imported without asking user → CRLs are imported without asking user for confirmation
Comment 7•15 years ago
|
||
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Updated•15 years ago
|
Whiteboard: [psm-crl]
Comment 8•14 years ago
|
||
I just encountered this today, and through there might not be any security problem in adding the crl to Firefox automatically, it does display a scary looking dialog asking you if the newly added crl should be auto updated or not. The dialog may not be a security warning, but it looks in my mind like a security warning you cannot cancel. So maybe the dialog should be removed or its wording be improved.
Does Firefox ensure that only crls from trusted CAs can be imported? Otherwise I think it could be a privacy issue, since it does not seem like the import is removed by Private Browsing or Clear Recent History.
Comment 9•11 years ago
|
||
The "Revocation Lists" feature was removed in bug 867465.
You need to log in
before you can comment on or make changes to this bug.
Description
•