certificate exceptions don't work in every case

NEW
Unassigned

Status

()

Firefox
Security
--
major
8 years ago
8 years ago

People

(Reporter: wolfiR, Unassigned)

Tracking

3.5 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
The following is a bit hard to describe but I saw an example where Firefox' was completely locked when visiting a simple webpage (basically the webpage is also broken I think but FF should handle it better IMHO).

That is happening at least with FF3.5rc2

How to reproduce:
- visit https://www.videobuster.de
- you'll get a certificate warning as the CA is apparently not in NSS
- choose to add an exception for this certificate/site (temporary is enough)
- proceed to the site
- you will get more certificate warnings since the site refers to other hosts
  using the same certificate but you cannot add exceptions for them
- once the site is (more or less) loaded it will show a JS alert about not being able to load important JavaScript and you can't get rid of it anymore

Result: Your Firefox session became unusable because of the modal JS alert

Comment 1

8 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5

works for me perfectly : no temporary exception was needed

I tested with a deleted cert8.db file, so that only built-in certificates would be used. The chain of certificates used by www.videobuster.de added the UTN-USERFirst=Hardware certificate (under AddTrust, serial number 26:21:1B:F5:2A:EB:51:B0:0B:FA:9F:DD:8D:36:DA:9E), while there is a similar named certificate (built-in) under The USERTRUST network, serial number 44:BE:0C:8B:50:00:24:B4:11:D3:36:2A:FE:65:0A:FD) I don't know if this is normal or not.
(Reporter)

Comment 2

8 years ago
Oh, right. Checking with a fresh profile worked for me too.
The "AddTrust External CA Root" is marked as non-trusted for me but I can only partly remember why. There was an issue with that CA at some point:

http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/

Ok, still the main issue is not about this particular certificate but to reproduce it, it should be enough to uncheck the trust bits.
You need to log in before you can comment on or make changes to this bug.