X
Tap here to go to the mobile version of the site.

Support Forum

Per-certificate, per-use password prompt

Posted

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected.

In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use).

Firefox must offer equally flexible security levels for Certificates.

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected. In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use). Firefox must offer equally flexible security levels for Certificates.
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

More Information

FredMcD
  • Top 10 Contributor
4184 solutions 58423 answers

Note that the Master Password only protects the password files. Nothing else.

Note that the Master Password only protects the password files. Nothing else.
Was this helpful to you? 0
Quote

Question owner

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.
Was this helpful to you?
Quote
FredMcD
  • Top 10 Contributor
4184 solutions 58423 answers

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.
Was this helpful to you? 0
Quote
jscher2000
  • Top 10 Contributor
8568 solutions 70054 answers

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis.

There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste master and pause while the list is filtered

(3) Double-click the signon.masterPasswordReprompt.timeout_ms preference to display a dialog where you can enter the default value of 900000 milliseconds (15 minutes) to something shorter, such as 60000 milliseconds (1 minute), then click OK

Better? Worse? No difference?

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis. There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''master''' and pause while the list is filtered (3) Double-click the '''signon.masterPasswordReprompt.timeout_ms''' preference to display a dialog where you can enter the default value of '''900000''' milliseconds (15 minutes) to something shorter, such as '''60000''' milliseconds (1 minute), then click OK Better? Worse? No difference?
Was this helpful to you? 0
Quote

Question owner

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17334 solutions 156717 answers

Helpful Reply

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout:

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout: * https://dxr.mozilla.org/mozilla-release/source/toolkit/components/passwordmgr/LoginManagerParent.jsm#237
Was this helpful to you? 1
Quote

Question owner

Thanks cor-el.

  • sigh*

So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

Thanks cor-el. *sigh* So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?
Was this helpful to you?
Quote
christ1
  • Top 25 Contributor
2148 solutions 15684 answers
So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert.

What exactly do you think needs protection for the other certs in the store?

<blockquote> So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected? </blockquote> For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert. What exactly do you think needs protection for the other certs in the store?
Was this helpful to you?
Quote

Question owner

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.