We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why is Firefox still shipping with the compromised Diginotar CA being trusted?

  • 6 replies
  • 7 have this problem
  • 1 view
  • Last reply by BabyMocha

more options

I just downloaded Firefox 6.0.2. Apart from my surprise that we have yet another major release this year, I notice that the browser is being installed with a number of root certificates from the compromised DigiNotar CA still present under the 'authorities' tab. Am I correct in assuming that they are still being trusted and require manual removal after the install?

If so, shouldn't this CA be removed from the installer until the situation is resolved?

I just downloaded Firefox 6.0.2. Apart from my surprise that we have yet another major release this year, I notice that the browser is being installed with a number of root certificates from the compromised DigiNotar CA still present under the 'authorities' tab. Am I correct in assuming that they are still being trusted and require manual removal after the install? If so, shouldn't this CA be removed from the installer until the situation is resolved?

Modified by forumposter

Chosen solution

You can click the Edit button on those DigiNotar certificates. Then you will see that all trust bits are unchecked and that the DigiNotar certificates can no longer be used as root certificates.

Read this answer in context 👍 3

All Replies (6)

more options

Chosen Solution

You can click the Edit button on those DigiNotar certificates. Then you will see that all trust bits are unchecked and that the DigiNotar certificates can no longer be used as root certificates.

more options

Yes, the trust bits are unchecked, but... That's way too convoluted for the average user. It has taken this advanced user much too long to determine that the certificates, though present, are not trusted. There should be an easy to spot indication that a certificate is no longer trusted. In this case, I think they should either have been deleted or added to the Revoked tab.

more options

Don, yes I also expected to find them in the revoked tab. When I didn't see them there I assumed they were trusted. Didn't even occur to me to click the 'Edit' button. After all I am wanting to check status not 'edit' the certificate!

more options

I have had to change my password twice to access my Yahoo mail and after entering my username and new password, nothing would happen after hitting the Submit button! Then by chance, I discovered that Yahoo certificate has changed and also it is in the same location as the DigiNotar certificate, which, by the way, is still trusted as well!!! Even after selecting the Do not trust option button, it automatically reverts back to Trust this certificate!!! I don't know how long this has been going on as I rarely checked my email. Can someone tell me what is going on here? I have attached a Jpeg of FF 11.0 Tools>Options>Advanced tab>Encryption tab>selected View Certificates button>selected Server tab>. Thanks so much in advance for your help.

more options

Did you try to click the Edit CA Trust button?

Do you still see DigiNotar certificates under the Authorities tab?


Rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.
If you have user certificates that you want to keep then export those certificates to a .cer file before removing the cert8.db file.
If that helped to solve the problem then you can remove the renamed cert8.db.old file.
Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates.
Firefox will automatically store intermediate certificates when you visit websites that send such a certificate. You may need to remove or rename secmod.db (secmod.db.old) as well.

Delete the cert_override.txt file in the Firefox Profile Folder or rename the file to cert_override.txt.old to remove permanent exceptions stored in the file.

more options

Hi cor-el, Thanks for replying. I had to change my password to reply to your reply. Is this the norm for accessing web accounts with the Firefox 11.0? What is going on? I typed my password slow too, but I ended up changing my password.

I did click that button but nothing happened! When I clicked it today, the dialog box reads "Certificate for this certificate authority was not found"!! Whereas other certificates like the "login.yahoo.com" certificate under the Server tab - where the DigiNotar certificate only displays - opens two dialog boxes as indicated in attached Jpeg.

As to your suggestion on changing the name of the cert8.db file to cert8.db.old or just deleting proves to be challenging for me. I looked for this Firefox profile folder, but no luck on seeing cert8.db file at all. I am currently in my Limited User Account.

Thanks so much.