搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Why does Firefox not let me mark Comodo/UserTrust Network cert for addons.mozilla.org as untrusted?

  • 3 回覆
  • 10 有這個問題
  • 1 次檢視
  • 最近回覆由 Vivek

more options

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?!

I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org).

When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate.

I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate.

Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?! I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org). When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate. I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate. Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

由 crewbie 於 修改

被選擇的解決方法

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

從原來的回覆中察看解決方案 👍 1

所有回覆 (3)

more options

選擇的解決方法

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

more options

Hello, Tried the delete file thing, didn't work. Tried delete in the cert manager, didn't work.

On restart the certs always return.

Is there some way to scrub the cert8.db file?

Obviously these certs are no good and don't belong. They just showed up one day, I even have the "ask me everytime" box checked but never saw the prompt for this CA.

more options

Hi,

Firefox has a default built-in CA certificates list and default settings - hard coded - which is independent of the OS certificate store. Please see NSS (Network Security Services). And after the recent consistent discovering of vulnerabilities in the CA system, I think Mozilla may also have started to include specific server exceptions which like the CA certificates list is configurable. So for example you can distrust a certificate authority trusted by Firefox and vice versa or add additional ones or modify / specify server exceptions.

These additional and imported certificates and manually configured preferences are stored in cert8.db which can be deleted. In this case the default certificates and settings are recreated. So this is what you may be seeing.

Ask me every time is for Your Certificates in View Certificates like when you may have created a personal certificate to log on to a site instead of username and password. These are certs for which you have both the public and private keys, unlike the others for which we'll never have a private key, and if we happen to get one that would mean another breakdown in the CA system. Please see Certificates.

This is my understanding, I could be wrong ;)

Please also see this.