+++ This bug was initially created as a clone of Bug #664633 +++ Today, when Thunderbird encounters an invalid SSL certificate, it makes it really easy--to easy--for the user to configure an exception for that certificate. It makes it easy because many IMAPS and SMTPS servers use non-validatable certificate chains (self-signed certs, etc.) However, it is very unlikely that a server will start using an non-validatable certificate chain after it was previously using one that validated correctly. So, once a successful connection to a server has been made, Thunderbird should not prompt the user to add an exception. If the local copy of the auto-configuration database says that a valid certificate chain for a server should be provided (which would be the case for almost all of the servers in the auto-configuration database, AFAICT), then we should never prompt the user to add an exception for that server. Note that this will happen frequently when users are behind captive portals, which is how I noticed it.
Keywords: privacy, sec-review-needed
look at this with account sec
Whiteboard: [sr:curtisk] → [secr:curtisk]
Keywords: sec-review-needed → sec-review-complete
It is not unheard of that some server admin who previously paid for an SSL certificate after its expiration no longer bothers to pay, but takes a self-signed one. Suggestions: 1) still show the exception dialog, but add a warning that previously, a valid certificate of issuer xyz was found 2) in particular, if the new self-sig certificate is found > 10 days before the expiration of the previous one, add a (large/red) Man-in-the-middle warning!
I would like to work on this bug .. can i pick this ? please give necessary informations regarding the bug thanks
You need to log in before you can comment on or make changes to this bug.