Matt, While I think we would love to improve the experience around client certificates, it just hasn’t been a high priority. Every now and then someone will mention it, but that’s about it. I guess not enough folks are using this yet for it to really matter.
However, it does seem like bug 1081711 should be relatively easy to fix, so maybe we should do that. As for UI for adding/removing certificates, the easiest way forward there would be to have a tool that can wrap a cert in an addon. Installing the addon would install the cert, and conversely remove it when the addon is removed. This shouldn’t be too hard, but like everything else it’s a matter of finding someone with time. James > On Oct 15, 2014, at 8:50 PM, Matt Weeks <[email protected]> wrote: > > Hello, > Could someone make a few changes to the Firefox Mobile client certificate > handling? Client certificates are an awesome authentication mechanism that is > much more secure and easier to use than passwords, and supported in most > browsers. After seeing client certificate auth working with my previous > employer, I started putting it on all my sites. Sadly, there are a couple > issues with the implementation in Firefox Mobile (not desktop) making them > difficult to use. > > First, when visiting a site requiring a client cert, the "Remember this > decision" checkbox doesn't seem to work. Whenever you open a new page (unless > a connection was kept alive) you still get prompted. This means using a > certificate enabled website gets really annoying. > https://bugzilla.mozilla.org/show_bug.cgi?id=1081711 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1081711> > > Second, although cert issuance works great, you can't remove a certificate > you were issued. So if you have enrolled a few certs, your certificate list > gets cluttered and there's nothing you can do about it, even after trying to > delete all private data in the Settings->Privacy menu. So it becomes a > privacy bug too. I haven't filed this one in bugzilla, because I'm not sure > the right way to fix this. Ideally, you'd have a certificate menu where you > could list and delete your certificates, but if they were deleted with "Site > settings" or "Saved passwords" I think that would work too. > > You can test this here: https://www.scriptjunkie.us/getacert > <https://www.scriptjunkie.us/getacert> > > More than ever before, people are realizing that the typical password-based > authentication systems need to be replaced. Every day attackers get victims > to enter their passwords into phishing pages or guess or brute-force their > passwords... often leading to account hijacking or the theft of sensitive > personal information or files. Not to mention the headache of coming up with > and remembering complex passwords. So most people re-use them and get hacked > again. Client certificates are free of these issues, being inherently > re-usable, not needing to be remembered and having more than enough entropy > to be secure against all the common password attacks. > > Also, given the news over the past year or so, a lot of people are concerned > about NSA (or Iranian or French...) spying on their personal information. All > of these have been linked to intercepting HTTPS connections, usually with > fraudulently obtained certificates > <https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/> > from one of the hundreds (or thousands) of trusted root and intermediate > certificate authorities. But when a site uses client certificate > authentication, it can verify the connection against the client's key, no > longer just relying on trusted CA's, stopping these attacks. > > So help us stop hackers, save users, freedom, and justice, and make client > certs work! Also, if you fix one of these issues, you'll be my hero, and I'll > buy you lunch if you ever come by San Antonio. > > Thanks, > Matt > > -- > > http://www.scriptjunkie.us/ > <http://www.scriptjunkie.us/>_______________________________________________ > mobile-firefox-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/mobile-firefox-dev
_______________________________________________ mobile-firefox-dev mailing list [email protected] https://mail.mozilla.org/listinfo/mobile-firefox-dev
