X
點擊此處開啟此網站的行動版。

技術支援討論區

Per-certificate, per-use password prompt

已張貼

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected.

In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use).

Firefox must offer equally flexible security levels for Certificates.

Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected. In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use). Firefox must offer equally flexible security levels for Certificates.
引用
FredMcD
  • Top 10 Contributor
4025 個解決方法 56247 個答案

Note that the Master Password only protects the password files. Nothing else.

Note that the Master Password only protects the password files. Nothing else.
這篇文章有幫助嗎? 0
引用

提出問題者

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.

Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.
這篇文章有幫助嗎?
引用
FredMcD
  • Top 10 Contributor
4025 個解決方法 56247 個答案

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords

The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.

https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.
這篇文章有幫助嗎? 0
引用
jscher2000
  • Top 10 Contributor
8190 個解決方法 67004 個答案

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis.

There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste master and pause while the list is filtered

(3) Double-click the signon.masterPasswordReprompt.timeout_ms preference to display a dialog where you can enter the default value of 900000 milliseconds (15 minutes) to something shorter, such as 60000 milliseconds (1 minute), then click OK

Better? Worse? No difference?

I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis. There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''master''' and pause while the list is filtered (3) Double-click the '''signon.masterPasswordReprompt.timeout_ms''' preference to display a dialog where you can enter the default value of '''900000''' milliseconds (15 minutes) to something shorter, such as '''60000''' milliseconds (1 minute), then click OK Better? Worse? No difference?
這篇文章有幫助嗎? 0
引用

提出問題者

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?

Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?
這篇文章有幫助嗎?
引用
cor-el
  • Top 10 Contributor
  • Moderator
16992 個解決方法 153425 個答案

有幫助的回覆

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout:

This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout: * https://dxr.mozilla.org/mozilla-release/source/toolkit/components/passwordmgr/LoginManagerParent.jsm#237
這篇文章有幫助嗎? 1
引用

提出問題者

Thanks cor-el.

  • sigh*

So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

Thanks cor-el. *sigh* So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?
這篇文章有幫助嗎?
引用
christ1
  • Top 10 Contributor
2111 個解決方法 15418 個答案
So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?

For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert.

What exactly do you think needs protection for the other certs in the store?

<blockquote> So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected? </blockquote> For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert. What exactly do you think needs protection for the other certs in the store?
這篇文章有幫助嗎?
引用

提出問題者

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842

Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842
這篇文章有幫助嗎?
引用
問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題