Vigil@nce: Firefox, permanent storage of certificates
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
Firefox stores untrusted certificates permanently even if the user
does not want it.
– Severity: 2/4
– Creation date: 31/05/2011
IMPACTED PRODUCTS
– Debian Linux
– Mozilla Firefox
DESCRIPTION OF THE VULNERABILITY
When a user visits a website with an HTTPS self-signed
certificate, the user has the option to not accept the certificate
permanently, but only for the duration of the session.
However, Firefox 4 does not disable the the certificate at the end
of the session. When the user comes later on the web site, Firefox
reloads the HTTPS page without asking the user to re-validate the
server certificate.
Firefox therefore stores untrusted certificates permanently even
if the user does not want it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Firefox-permanent-storage-of-certificates-10699