1866697 - Removing trust from root CA certificates has no effect and sites using untrusted certificates load normally

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[Mikey]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

Summary: Remove trust from a root certificate authority (e.g. GoDaddy), restart Firefox, go to site using TLS certificate signed by GoDaddy root CA, observe site loads normally as if trusted. Clearing all history/cache/etc and restarting Firefox again led to same result. I made sure this is not due to root CA inheritance from the OS by setting security.enterprise_roots.enabled to false.

Steps:

1. Settings -> Privacy & Security -> Certificates -> View Certificates
2. Scroll to GoDaddy
3. Select GoDaddy certificate "Go Daddy Root Certificate Authority - G2"
4. Click Edit Trust...
5. Uncheck "This certificate can identify websites."
6. Click OK
7. Click OK
8. Restart FireFox
9. Go to a site using a certificate signed by GoDaddy (e.g. https://www.sccu.com) and observe site still loads without warning.

Actual results:

Site using TLS certificate signed by an untrusted root CA loads normally without warning.

Expected results:

Expected warning page like what you see at this test site for an untrusted root CA: https://untrusted-root.badssl.com

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Dana Keeler (she/her) [:keeler]]

That certificate is cross-signed by Go Daddy Class 2 Certification Authority (under The Go Daddy Group, Inc.). If you mark that as not trusted as well and then shift-refresh the page, it should work as expected.