Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does Firefox not let me mark Comodo/UserTrust Network cert for addons.mozilla.org as untrusted?

  • 3 odgovori
  • 10 ima ovaj problem
  • 1 view
  • Posljednji odgovor poslao Vivek

more options

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?!

I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org).

When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate.

I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate.

Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?! I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org). When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate. I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate. Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Izmjenjeno od strane crewbie

Izabrano rješenje

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

Pročitajte ovaj odgovor sa objašnjenjem 👍 1

All Replies (3)

more options

Odabrano rješenje

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

more options

Hello, Tried the delete file thing, didn't work. Tried delete in the cert manager, didn't work.

On restart the certs always return.

Is there some way to scrub the cert8.db file?

Obviously these certs are no good and don't belong. They just showed up one day, I even have the "ask me everytime" box checked but never saw the prompt for this CA.

more options

Hi,

Firefox has a default built-in CA certificates list and default settings - hard coded - which is independent of the OS certificate store. Please see NSS (Network Security Services). And after the recent consistent discovering of vulnerabilities in the CA system, I think Mozilla may also have started to include specific server exceptions which like the CA certificates list is configurable. So for example you can distrust a certificate authority trusted by Firefox and vice versa or add additional ones or modify / specify server exceptions.

These additional and imported certificates and manually configured preferences are stored in cert8.db which can be deleted. In this case the default certificates and settings are recreated. So this is what you may be seeing.

Ask me every time is for Your Certificates in View Certificates like when you may have created a personal certificate to log on to a site instead of username and password. These are certs for which you have both the public and private keys, unlike the others for which we'll never have a private key, and if we happen to get one that would mean another breakdown in the CA system. Please see Certificates.

This is my understanding, I could be wrong ;)

Please also see this.