Hello, Could someone make a few changes to the Firefox Mobile client certificate handling? Client certificates are an awesome authentication mechanism that is much more secure and easier to use than passwords, and supported in most browsers. After seeing client certificate auth working with my previous employer, I started putting it on all my sites. Sadly, there are a couple issues with the implementation in Firefox Mobile (not desktop) making them difficult to use.
First, when visiting a site requiring a client cert, the "Remember this decision" checkbox doesn't seem to work. Whenever you open a new page (unless a connection was kept alive) you still get prompted. This means using a certificate enabled website gets really annoying. https://bugzilla.mozilla.org/show_bug.cgi?id=1081711 Second, although cert issuance works great, you can't remove a certificate you were issued. So if you have enrolled a few certs, your certificate list gets cluttered and there's nothing you can do about it, even after trying to delete all private data in the Settings->Privacy menu. So it becomes a privacy bug too. I haven't filed this one in bugzilla, because I'm not sure the right way to fix this. Ideally, you'd have a certificate menu where you could list and delete your certificates, but if they were deleted with "Site settings" or "Saved passwords" I think that would work too. You can test this here: https://www.scriptjunkie.us/getacert More than ever before, people are realizing that the typical password-based authentication systems need to be replaced. Every day attackers get victims to enter their passwords into phishing pages or guess or brute-force their passwords... often leading to account hijacking or the theft of sensitive personal information or files. Not to mention the headache of coming up with and remembering complex passwords. So most people re-use them and get hacked again. Client certificates are free of these issues, being inherently re-usable, not needing to be remembered and having more than enough entropy to be secure against all the common password attacks. Also, given the news over the past year or so, a lot of people are concerned about NSA (or Iranian or French...) spying on their personal information. All of these have been linked to intercepting HTTPS connections, usually with fraudulently obtained certificates <https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/> from one of the hundreds (or thousands) of trusted root and intermediate certificate authorities. But when a site uses client certificate authentication, it can verify the connection against the client's key, no longer just relying on trusted CA's, stopping these attacks. So help us stop hackers, save users, freedom, and justice, and make client certs work! Also, if you fix one of these issues, you'll be my hero, and I'll buy you lunch if you ever come by San Antonio. Thanks, Matt -- http://www.scriptjunkie.us/
_______________________________________________ mobile-firefox-dev mailing list [email protected] https://mail.mozilla.org/listinfo/mobile-firefox-dev
