Per-certificate, per-use password prompt
Firefox uses a Master password to protect Certificates stored in Firefox's separate-from-Windows Certificate store. UNlike the (more security-flexibly configurable) Windows Certificate store, Firefox either doesn't protect certificates at all (no Master password) or only 'protects' the whole of the imported certificates by requiring a Master Password (wrongly prompted right at Firefox start time) for the whole of a LastPass user session. In short, if Firefox is running, the certificates (and other things 'protected' by the Firefox Master password) are not well protected.
In contrast, Certificates stored in the Windows Certificate store may be individually configured with various levels of security (no password, prompt on each use, or prompt-with-certificate-specific-password on each use).
Firefox must offer equally flexible security levels for Certificates.
All Replies (9)
Note that the Master Password only protects the password files. Nothing else.
Hi FredMcD, thanks for your reply. I'm not sure what is meant by "the password files". I am prompted by Firefox for my Master password the first time during any Firefox session when a website requests that I use a Certificate to authenticate myself, so it seems that the Master password does also (inadequately) protect Certificates. I repeat my original assertion: Firefox does not provide adequate levels of protection to Certificates, enabling automatic use of ALL certificates after the Master password is entered once per session, instead of allowing per-certificate-use approval as Windows/IE/Edge do and as Firefox also should.
https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins Use a Master Password to protect stored logins and passwords
The password information is stored in two files in the profile folder. The files are encrypted. The Master Password adds another layer of security.
I don't think the Master Password feature is going to get such a comprehensive overhaul that you could manage how it works on a per-certificate or per-login basis.
There is a preference that seems relevant to how long entering the Master Password unlocks those items, but I haven't experimented with it:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste master and pause while the list is filtered
(3) Double-click the signon.masterPasswordReprompt.timeout_ms preference to display a dialog where you can enter the default value of 900000 milliseconds (15 minutes) to something shorter, such as 60000 milliseconds (1 minute), then click OK
Better? Worse? No difference?
Thank you for the idea jscher2000. I'm fairly sure that this signon.masterPasswordReprompt.timeout_ms does not actually cause a Master password re-prompt, because even at the default value of 900000ms / 15 minutes, I have never seen a Master password re-prompt until I have exited Firefox and re-started it. Has anyone who is reading this ever seen Firefox re-prompt for the Master password? Or is it as a I think/fear, only one prompt per-session no matter how long the session is no matter what the signon.masterPasswordReprompt.timeout_ms value is set to?
This signon.masterPasswordReprompt.timeout_ms pref is about a timeout for an unsuccessful (canceled) MP prompt. If you cancel too often then you are only re-prompted after this timeout has fired. See repromptTimeout:
Thanks cor-el.
- sigh*
So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?
So, why does Mozilla, which usually is quite user- and security- friendly, consider it acceptable to leave Certificates so lightly protected?
For a cert in the Firefox certificate store there is nothing to be protected, unless it is a personal cert with the private key. You already confirmed you do get a master password prompt for your personal cert.
What exactly do you think needs protection for the other certs in the store?
Apologies for not clarifying - I am speaking specifically about personal certificates with private keys. I see that Bugzilla already has this (a couple of times), under consideration for enhancement. https://bugzilla.mozilla.org/show_bug.cgi?id=838272 https://bugzilla.mozilla.org/show_bug.cgi?id=219842