搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Why does Firefox not let me mark Comodo/UserTrust Network cert for addons.mozilla.org as untrusted?

  • 3 个回答
  • 10 人有此问题
  • 1 次查看
  • 最后回复者为 Vivek

more options

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?!

I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org).

When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate.

I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate.

Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?! I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org). When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate. I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate. Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

由crewbie于修改

被采纳的解决方案

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

定位到答案原位置 👍 1

所有回复 (3)

more options

选择的解决方案

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

more options

Hello, Tried the delete file thing, didn't work. Tried delete in the cert manager, didn't work.

On restart the certs always return.

Is there some way to scrub the cert8.db file?

Obviously these certs are no good and don't belong. They just showed up one day, I even have the "ask me everytime" box checked but never saw the prompt for this CA.

more options

Hi,

Firefox has a default built-in CA certificates list and default settings - hard coded - which is independent of the OS certificate store. Please see NSS (Network Security Services). And after the recent consistent discovering of vulnerabilities in the CA system, I think Mozilla may also have started to include specific server exceptions which like the CA certificates list is configurable. So for example you can distrust a certificate authority trusted by Firefox and vice versa or add additional ones or modify / specify server exceptions.

These additional and imported certificates and manually configured preferences are stored in cert8.db which can be deleted. In this case the default certificates and settings are recreated. So this is what you may be seeing.

Ask me every time is for Your Certificates in View Certificates like when you may have created a personal certificate to log on to a site instead of username and password. These are certs for which you have both the public and private keys, unlike the others for which we'll never have a private key, and if we happen to get one that would mean another breakdown in the CA system. Please see Certificates.

This is my understanding, I could be wrong ;)

Please also see this.