Closed Bug 543417 Opened 14 years ago Closed 14 years ago

https site still marked as trusted even if its CA cert is marked as untrusted

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: alpha.mm, Assigned: KaiE)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

I changed CA certificate trust settings for a CA cert (not root cert). Yet it seems nothing happens when I browse sites that use this cert.

Reproducible: Always

Steps to Reproduce:
1.Go to mail.163.com
2.Enter any random characters in the two textbox on the right, which are e-addr and pwd.
3.Tick the checkbox on the right whose text contains "SSL".
4.Click the login button whose color is somewhat pink.
5.Now your certs should contain CNNIC SSL.
6.Tools -> Options -> Advanced -> View certificates.
7.Under "Entrust.net" branch, there should be a "CNNIC SSL" cert.
8.Edit it, cancel the three ticks in trust setting. Then OK, OK.
9.Now goto https://www.enum.cn/en/ . You'll find this site is still marked as TRUSTED though it is verified by CNNIC SSL.
Actual Results:  
Firefox gives me NO warnings when I'm trying to browse a site which is verified by a CA cert that I don't trust.

Expected Results:  
The browser should give me SOME warnings when I'm tring to browse a site which is verified by a CA cert that I don't trust.
I suspect this might be down to the fact that CNNIC has both an Entrust subsidiary root and its own top level root - you may need to disable trust in both places. In the meantime though, moving to Core::PSM
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Much thanks, Johnathan.
I've found another cert with common name "Entrust.net Secure Server Certification Authority" and serial number "37:4A:D2:43" that haven't been set to "untrusted". After banned it, the site can be blocked.

So there are altogether 3 certs to set:
1. CNNIC ROOT
2. CNNIC SSL
3. Entrust.net Secure Server Certification Authority (37:4A:D2:43)

Again, thank you for your reply:)

(In reply to comment #1)
> I suspect this might be down to the fact that CNNIC has both an Entrust
> subsidiary root and its own top level root - you may need to disable trust in
> both places. In the meantime though, moving to Core::PSM
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.