It haven't tried switching between self-signed certificates, but when switching from the self signed to one from an official CA, it doesn't even warn. Even though that's extremely suspicious, I mean, I explicitly manually checked the other certificate, despite all the fucking warnings Firefox showed. And now it's silently accepting a certificate some random guy could have registered on startssl.com. Are you aware how fucking ironic that is?

Did you check the certificate chain to see if there is a chain that ends with a built-in root certificate?

You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.

• Click the link at the bottom of the error page: "I Understand the Risks"
• Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate"
• Click the "View" button and inspect the certificate and check who is the issuer of the certificate.

You can see more details like the intermediate certificates that are used in the Detail tab.

What happens if you temporarily rename cert8.db or check this in a new profile?

• https://support.mozilla.org/kb/Managing+profiles

Sure the chain ends in a root certificate, that's what I've written in the previous post. Again: 1: Self-signed certificate presented by server 2: Annoying overly paranoid security warnings by Firefox 3: Adding a security exception 4: Asking here whether this will actually pin that certificate or disable checking altogether 5: Installing a new certificate on the server, this time one signed by a CA which is trusted by Firefox. 6. Visiting the site again 7. Not receiving any warning. 8. Being angry that Firefox didn't warn me, because this time Firefox actually possessed prior knowledge which spoke against this being a valid certificate. 9. Posting here to partly answer my question.

And now again, on point 8: StartCom checks domain ownership with a code sent in a fucking plaintext unencrypted email. So when Firefox needs to choose to trust either a certificate manually verified by the user, and a certificate issued by some random company on the internet with lax security measures, what does it do? Maybe ask the user? Nope, just trust the random company with the lax security measures.

A certificate that can be chained to a built-in root certificate isn't self-signed, so Firefox won't show an untrusted message.

Did you try this in a new profile (or with cert8.db removed/renamed) without steps 1 and 2 and start with step 5, so there aren't any exceptions stored in Firefox?

I still think you don't understand what I'm trying to say.

cor-el said

A certificate that can be chained to a built-in root certificate isn't self-signed, so Firefox won't show an untrusted message.

But it should display a "strange thing happened" message because I previously added an exception for that site. I thought adding an exception meant pinning that specific certificate. It obviously doesn't. But it should.

An exception is bound to a specific certificate and not to a domain. If the server sends a valid certificate chain then there is no need to show any message.

• https://www.ssllabs.com/ssltest/

Yes there is. *sigh* Let's leave it at this, I just wish I knew a better browser to switch to. Lesser of evils I guess.