Open Bug 790924 Opened 13 years ago Updated 3 years ago

doesn't remember security exceptions

Categories

(Thunderbird :: Security, defect)

15 Branch
x86
Windows XP
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: gumof, Unassigned)

Details

(Whiteboard: DUPEME)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1 Build ID: 20120905151427 Steps to reproduce: i have device in my network which does SSL traffic analysing (ips, av-scan, anti-spam) which do ssl-decrypt-encrypt_with_own_cert for all those mentioned purposes. any version of TB>11.0.1 is killing me softly with this hundreds of pop up messages saying: "Certificate belongs to different site, which could indicate an identity theft." and this message box has, check box with comment: "Permanently store SSL Exception - Certificate belongs to different site" -which doesn't work at all !!, if this option not apply to this security exception -then disable it/gray it ... all the versions TB<=11.0.1 produces less pop up messages, >v12, there is plenty of them Actual results: TB didn't remembered security exception, keep asking over-and-over Expected results: should store exception permanently is no MitM attack, is secure approach to security in XXI century. Presume dialog appears when TB is periodically checking for new mail ... it should not id cert is not changed (CA root in this case) it shouldn't. But I think problem on the first place is because of wrong implementation overridable and non-overridable cert errors. BTW. root CA of security device added to Authorities sorted out problem permanently with accessing mail over web_br:443 in FF (15.0.1)
Summary: Permanently store SSL Exception: certificate belongs to different site → doesn't remembered security exceptions
Whiteboard: DUPEME
Summary: doesn't remembered security exceptions → doesn't remember security exceptions
Experiencing this same issue on Thunderbird 17.0.6 on MacOSX 10.8.4. I have a domain which I use for email, but the SSL certificate is issued by the hosting provider, not from my domain (hosting provider is dreamhost.com). Thunderbird prompts if I wish to accept the certificate and permanently store it. I instruct it to do so. Thunderbird indeed stores the certificate, but not permanently, for later on in the day the prompt will return.
Maybe related to bug 1106130? That is, checking "Permanently store this exception" does not help?
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.