Vanwege onderhoudswerkzaamheden die uw ervaring zouden moeten verbeteren, heeft deze website beperkte functionaliteit. Als een artikel uw probleem niet verhelpt en u een vraag wilt stellen, kan onze ondersteuningsgemeenschap u helpen in @FirefoxSupport op Twitter en /r/firefox op Reddit.

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

Why does Firefox not let me mark Comodo/UserTrust Network cert for addons.mozilla.org as untrusted?

  • 3 antwoorden
  • 10 hebben dit probleem
  • 1 weergave
  • Laatste antwoord van Vivek

more options

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?!

I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org).

When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate.

I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate.

Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Why does Firefox 8.0 insist on trusted a server cert from USERTRUST Network (the Comodo reseller involved in the scandal over bogus Google certs) when I tell it not to?!?! I was looking at my Firefox certificates and found the bogus USERTRUST Network certificates in the Server section (I've got bogus certs for live.com, gmail, skype and addons.mozilla.org). When I view most of these certificates, they are (thankfully) marked as being untrusted, however when I view the cert for addons.mozilla.org it is marked as valid SSL Client and Server certificate. I tried turning this off, but when I reopen the certificate settings to confirm the change has been applied, the setting has returned to trusting the certificate. Update - I tried this in safe mode (ie all add ons disabled) and the behaviour is the same.

Bewerkt door crewbie op

Gekozen oplossing

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

Dit antwoord in context lezen 👍 1

Alle antwoorden (3)

more options

Gekozen oplossing

Hi,

You are right, it should be untrusted. I think the built-in certificates info is compiled into Firefox. So this might have been accidentally changed manually. You can try deleting the cert8.db file, restart Firefox and check the value.

more options

Hello, Tried the delete file thing, didn't work. Tried delete in the cert manager, didn't work.

On restart the certs always return.

Is there some way to scrub the cert8.db file?

Obviously these certs are no good and don't belong. They just showed up one day, I even have the "ask me everytime" box checked but never saw the prompt for this CA.

more options

Hi,

Firefox has a default built-in CA certificates list and default settings - hard coded - which is independent of the OS certificate store. Please see NSS (Network Security Services). And after the recent consistent discovering of vulnerabilities in the CA system, I think Mozilla may also have started to include specific server exceptions which like the CA certificates list is configurable. So for example you can distrust a certificate authority trusted by Firefox and vice versa or add additional ones or modify / specify server exceptions.

These additional and imported certificates and manually configured preferences are stored in cert8.db which can be deleted. In this case the default certificates and settings are recreated. So this is what you may be seeing.

Ask me every time is for Your Certificates in View Certificates like when you may have created a personal certificate to log on to a site instead of username and password. These are certs for which you have both the public and private keys, unlike the others for which we'll never have a private key, and if we happen to get one that would mean another breakdown in the CA system. Please see Certificates.

This is my understanding, I could be wrong ;)

Please also see this.