X
Tap here to go to the mobile version of the site.

ஆதரவு மன்றம்

Per-certificate, per-use password prompt

  • 9 replies
  • 1 இந்த பிரச்சனை உள்ளது
  • Last reply by libove
பதிவிடப்பட்டது

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected.

In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use).

Firefox must offer equally flexible security levels for Certificates.

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected. In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use). Firefox must offer equally flexible security levels for Certificates.
மேற்கோள்

Additional System Details

பயன்பாடு

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

கூடுதல் தகவல்

FredMcD
  • Top 10 Contributor
4224 தீர்வுகள் 58968 பதில்கள்
பதிவிடப்பட்டது

Note that the Master Password only protects the password files. Nothing else.

Note that the Master Password only protects the password files. Nothing else.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா? 0
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
FredMcD
  • Top 10 Contributor
4224 தீர்வுகள் 58968 பதில்கள்
பதிவிடப்பட்டது

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா? 0
மேற்கோள்
jscher2000
  • Top 10 Contributor
8636 தீர்வுகள் 70644 பதில்கள்
பதிவிடப்பட்டது

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis.

There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste master and pause while the list is filtered

(3) Double-click the signon.masterPasswordReprompt.timeout_ms preference to display a dialog where you can enter the default value of 900000 milliseconds (15 minutes) to something shorter, such as 60000 milliseconds (1 minute), then click OK

Better? Worse? No difference?

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis. There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''master''' and pause while the list is filtered (3) Double-click the '''signon.masterPasswordReprompt.timeout_ms''' preference to display a dialog where you can enter the default value of '''900000''' milliseconds (15 minutes) to something shorter, such as '''60000''' milliseconds (1 minute), then click OK Better? Worse? No difference?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா? 0
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
cor-el
  • Top 10 Contributor
  • Moderator
17415 தீர்வுகள் 157337 பதில்கள்
பதிவிடப்பட்டது

உதவிகரமான பதில்

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout:

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout: * https://dxr.mozilla.org/mozilla-release/source/toolkit/components/passwordmgr/LoginManagerParent.jsm#237
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா? 1
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

Thanks cor-el.

  • sigh*

So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

Thanks cor-el. *sigh* So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
christ1
  • Top 25 Contributor
2154 தீர்வுகள் 15733 பதில்கள்
பதிவிடப்பட்டது
So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert.

What exactly do you think needs protection for the other certs in the store?

<blockquote> So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected? </blockquote> For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert. What exactly do you think needs protection for the other certs in the store?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
கேள்வி எழுப்பு

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.