FF doesn't issue them that comes from the sites you go to that must update their certificates to match the Browser updated security checks.

This is nonsense, it is a intermediate certificate and FF has do install them just like other browser are doing.

Hi arachnid, could you give an example of a site using a revoked certificate?

If Firefox previously verified and saved an intermediate certificate, I don't know whether or when Firefox would re-verify it. With OCSP stapling, there are fewer checks now.

To flush your own collection of saved intermediate (and local) authority certificates, you can remove the cert9.db file as discussed in this article: What do the security warning codes mean? ("Corrupted certificate store" section).

DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2.

DigiNotar is hacked in 2013 and root certificates are stolen.

If cert9.db is maybe corrupted as you suggest the installationsetup of FF is corrupted. This is a fresh installation. Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates.

DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2.

Hi arachnid, in the Certificate Manager, you should find global distrust entries for those certificates on the "Servers" tab (Server = *). Are those not working -- will your Firefox connect to a site where one of those is the issuer?

Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates.

Firefox only ships with root certificates, and web servers provide the intermediate certificates to complete the chain of trust to the site certificate. At least, that's how it is supposed to work.

hi, yes the diginotar certificates are included into firefox, but they are set to distrusted out of the box to protect users (it's not entirely obvious in the ui, but if you doubleclick the ca in the cert manager you'll get the detailed view where firefox tells you that those certs are distrusted).

firefox doesn't need to ship with any intermediate CAs built-in. every intermediate CA needs to chain up to a trusted root CA. firefox can verify the integrity of this chain as it comes across any new CA while browsing the web and cache the trust in such an intermediate cert for future use.

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

arachnid said

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

Hi arachnid, how does the server prove its site certificate can be trusted?

Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox.

This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist.

To help prove the DigiNotar certificates have been distrusted (for almost seven years now).

https://www.mozilla.org/security/advisories/mfsa2011-34/ https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/

Note that the real Diginotar root certificate aren't present, but merely fake certificates that allow to add a permanent block exception under the Server tab, so even if the exception would be broken then the certificate could still be not used.

See:

• bug 829677#c10 - Remove cert entries for Actively Distrusted certs

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)

jscher2000 said

arachnid said

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

Hi arachnid, how does the server prove its site certificate can be trusted?

Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox.

This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist.

Yes, it exist. for instance Google Chrome, Edge, IE. They all download the intermediate certificates and store it in the certificates store. FF is also supposed to do it but based on information I received from a FF developer and specialist. It is a very old problem and the present developers doesn't seem to bother to solve it.

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

jscher2000 said

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

this is not a security risk - firefox can cryptographically verify that an intermediate cert was issued by and is chaining up to a root ca that's placed in the browser's trust store.

arachnid said

jscher2000 said

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

I think we are back where we started. The current system used by everyone (as far as I know) is:

• Root certificates are supplied with the browser or the OS.
• Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked.

You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question.

jscher2000 said

arachnid said

jscher2000 said

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

I think we are back where we started. The current system used by everyone (as far as I know) is:

• Root certificates are supplied with the browser or the OS.
• Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked.

You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question.

This is how it is supposed to work, the browser get information about the required intermediate certificate. It checks this information with the trusted root certificate and then is supposed to download the intermediate certificate by the supplier (not the webserver) FF and some other browsers do miss something in this step with new intermediate certificates. I have installed the intermediate manually, started the websites which are making use of it. Then I deleted cert9.db The intermediate certificate was not in the certificate manager. I started one of the site and FF did his work what he was supposed. Showing a trusted site.

This is a very old issue in FF based on information I have received from a FF developer.

Firefox is working as designed. This is not a support issue.

If you think Firefox should always double-check with a more official source the first time it receives a previously unknown intermediate certificate from a web server, you could raise the idea on the dev-security-policy mailing list:

https://lists.mozilla.org/listinfo/dev-security-policy