This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Will certificate change trigger error on sites with security exceptions?

  • 7 replies
  • 2 have this problem
  • 1 view
  • Last reply by Someon

more options

I've got a site with a self-signed ssl certificate. I stored a permanent exception, the fingerprint of the certificate was correct.

Does this disable certificate checking or does it save the one (correct one in my case) the website presented at the time and warns when it's changed?

I've got a site with a self-signed ssl certificate. I stored a permanent exception, the fingerprint of the certificate was correct. Does this disable certificate checking or does it save the one (correct one in my case) the website presented at the time and warns when it's changed?

All Replies (7)

more options

It haven't tried switching between self-signed certificates, but when switching from the self signed to one from an official CA, it doesn't even warn. Even though that's extremely suspicious, I mean, I explicitly manually checked the other certificate, despite all the fucking warnings Firefox showed. And now it's silently accepting a certificate some random guy could have registered on startssl.com. Are you aware how fucking ironic that is?

more options

Did you check the certificate chain to see if there is a chain that ends with a built-in root certificate?

You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.

  • Click the link at the bottom of the error page: "I Understand the Risks"
  • Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate"
  • Click the "View" button and inspect the certificate and check who is the issuer of the certificate.

You can see more details like the intermediate certificates that are used in the Detail tab.

What happens if you temporarily rename cert8.db or check this in a new profile?

more options

Sure the chain ends in a root certificate, that's what I've written in the previous post. Again: 1: Self-signed certificate presented by server 2: Annoying overly paranoid security warnings by Firefox 3: Adding a security exception 4: Asking here whether this will actually pin that certificate or disable checking altogether 5: Installing a new certificate on the server, this time one signed by a CA which is trusted by Firefox. 6. Visiting the site again 7. Not receiving any warning. 8. Being angry that Firefox didn't warn me, because this time Firefox actually possessed prior knowledge which spoke against this being a valid certificate. 9. Posting here to partly answer my question.

And now again, on point 8: StartCom checks domain ownership with a code sent in a fucking plaintext unencrypted email. So when Firefox needs to choose to trust either a certificate manually verified by the user, and a certificate issued by some random company on the internet with lax security measures, what does it do? Maybe ask the user? Nope, just trust the random company with the lax security measures.

more options

A certificate that can be chained to a built-in root certificate isn't self-signed, so Firefox won't show an untrusted message.

Did you try this in a new profile (or with cert8.db removed/renamed) without steps 1 and 2 and start with step 5, so there aren't any exceptions stored in Firefox?

more options

I still think you don't understand what I'm trying to say.

cor-el said

A certificate that can be chained to a built-in root certificate isn't self-signed, so Firefox won't show an untrusted message.

But it should display a "strange thing happened" message because I previously added an exception for that site. I thought adding an exception meant pinning that specific certificate. It obviously doesn't. But it should.

more options

An exception is bound to a specific certificate and not to a domain. If the server sends a valid certificate chain then there is no need to show any message.

more options

Yes there is. *sigh* Let's leave it at this, I just wish I knew a better browser to switch to. Lesser of evils I guess.