We do have UI for adding certs. We (or someone else) could write an addon that enabled cert removal. i.e. show a dialog with a list of installed certs. Select some. Hit "Remove" to delete them. It would also be easy to port into Fennec from the add-on so that might help move that bug to "trivial". I'm sure someone could help walk you through that via email or #mobile on IRC if you want.
- Wes ----- Original Message ----- From: "James Willcox" <[email protected]> To: "Matt Weeks" <[email protected]> Cc: [email protected] Sent: Tuesday, October 21, 2014 6:48:06 AM Subject: Re: Client certificates in Firefox Mobile Matt, While I think we would love to improve the experience around client certificates, it just hasn’t been a high priority. Every now and then someone will mention it, but that’s about it. I guess not enough folks are using this yet for it to really matter. However, it does seem like bug 1081711 should be relatively easy to fix, so maybe we should do that. As for UI for adding/removing certificates, the easiest way forward there would be to have a tool that can wrap a cert in an addon. Installing the addon would install the cert, and conversely remove it when the addon is removed. This shouldn’t be too hard, but like everything else it’s a matter of finding someone with time. James On Oct 15, 2014, at 8:50 PM, Matt Weeks < [email protected] > wrote: Hello, Could someone make a few changes to the Firefox Mobile client certificate handling? Client certificates are an awesome authentication mechanism that is much more secure and easier to use than passwords, and supported in most browsers. After seeing client certificate auth working with my previous employer, I started putting it on all my sites. Sadly, there are a couple issues with the implementation in Firefox Mobile (not desktop) making them difficult to use. First, when visiting a site requiring a client cert, the "Remember this decision" checkbox doesn't seem to work. Whenever you open a new page (unless a connection was kept alive) you still get prompted. This means using a certificate enabled website gets really annoying. https://bugzilla.mozilla.org/show_bug.cgi?id=1081711 Second, although cert issuance works great, you can't remove a certificate you were issued. So if you have enrolled a few certs, your certificate list gets cluttered and there's nothing you can do about it, even after trying to delete all private data in the Settings->Privacy menu. So it becomes a privacy bug too. I haven't filed this one in bugzilla, because I'm not sure the right way to fix this. Ideally, you'd have a certificate menu where you could list and delete your certificates, but if they were deleted with "Site settings" or "Saved passwords" I think that would work too. You can test this here: https://www.scriptjunkie.us/getacert More than ever before, people are realizing that the typical password-based authentication systems need to be replaced. Every day attackers get victims to enter their passwords into phishing pages or guess or brute-force their passwords... often leading to account hijacking or the theft of sensitive personal information or files. Not to mention the headache of coming up with and remembering complex passwords. So most people re-use them and get hacked again. Client certificates are free of these issues, being inherently re-usable, not needing to be remembered and having more than enough entropy to be secure against all the common password attacks. Also, given the news over the past year or so, a lot of people are concerned about NSA (or Iranian or French...) spying on their personal information. All of these have been linked to intercepting HTTPS connections, usually with fraudulently obtained certificates from one of the hundreds (or thousands) of trusted root and intermediate certificate authorities. But when a site uses client certificate authentication, it can verify the connection against the client's key, no longer just relying on trusted CA's, stopping these attacks. So help us stop hackers, save users, freedom, and justice, and make client certs work! Also, if you fix one of these issues, you'll be my hero, and I'll buy you lunch if you ever come by San Antonio. Thanks, Matt -- http://www.scriptjunkie.us/ _______________________________________________ mobile-firefox-dev mailing list [email protected] https://mail.mozilla.org/listinfo/mobile-firefox-dev _______________________________________________ mobile-firefox-dev mailing list [email protected] https://mail.mozilla.org/listinfo/mobile-firefox-dev _______________________________________________ mobile-firefox-dev mailing list [email protected] https://mail.mozilla.org/listinfo/mobile-firefox-dev
