X
Нажмите здесь, чтобы перейти на мобильную версию сайта.

Форум поддержки

Why aren't your certificates library not up-to-date

Размещено

I notice that certificate library of Firefox is out-dated. Revoked certificates are still valid and second level certificates are not available like Trust Provide B.V. TLS RSA CA G1. You need to fix this because it is e security risk. I have just installed Firefox 61.0.1

I notice that certificate library of Firefox is out-dated. Revoked certificates are still valid and second level certificates are not available like Trust Provide B.V. TLS RSA CA G1. You need to fix this because it is e security risk. I have just installed Firefox 61.0.1

Дополнительные сведения о системе

Приложение

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

Дополнительная информация

WestEnd 60 решений 5387 ответов
Размещено

FF doesn't issue them that comes from the sites you go to that must update their certificates to match the Browser updated security checks.

FF doesn't issue them that comes from the sites you go to that must update their certificates to match the Browser updated security checks.
Размещено

Задавший вопрос

This is nonsense, it is a intermediate certificate and FF has do install them just like other browser are doing.

This is nonsense, it is a intermediate certificate and FF has do install them just like other browser are doing.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено

Полезный ответ

Hi arachnid, could you give an example of a site using a revoked certificate?

If Firefox previously verified and saved an intermediate certificate, I don't know whether or when Firefox would re-verify it. With OCSP stapling, there are fewer checks now.

To flush your own collection of saved intermediate (and local) authority certificates, you can remove the cert9.db file as discussed in this article: What do the security warning codes mean? ("Corrupted certificate store" section).

Hi arachnid, could you give an example of a site using a revoked certificate? If Firefox previously verified and saved an intermediate certificate, I don't know whether or when Firefox would re-verify it. With OCSP stapling, there are fewer checks now. To flush your own collection of saved intermediate (and local) authority certificates, you can remove the cert9.db file as discussed in this article: [[What does "Your connection is not secure" mean?]] ("Corrupted certificate store" section).
Размещено

Задавший вопрос

DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2.

DigiNotar is hacked in 2013 and root certificates are stolen.

If cert9.db is maybe corrupted as you suggest the installationsetup of FF is corrupted. This is a fresh installation. Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates.

DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2. DigiNotar is hacked in 2013 and root certificates are stolen. If cert9.db is maybe corrupted as you suggest the installationsetup of FF is corrupted. This is a fresh installation. Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено
DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2.

Hi arachnid, in the Certificate Manager, you should find global distrust entries for those certificates on the "Servers" tab (Server = *). Are those not working -- will your Firefox connect to a site where one of those is the issuer?

Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates.

Firefox only ships with root certificates, and web servers provide the intermediate certificates to complete the chain of trust to the site certificate. At least, that's how it is supposed to work.

<blockquote>DigiNotar Root CA and DigiNotar PKIOverheid CA Organisatie - G2.</blockquote> Hi arachnid, in the Certificate Manager, you should find global distrust entries for those certificates on the "Servers" tab (Server = *). Are those not working -- will your Firefox connect to a site where one of those is the issuer? <blockquote>Intermediate Certification Authorities are missing in FF, this is an essential part of certificates and needed for client certificates. </blockquote> Firefox only ships with root certificates, and web servers provide the intermediate certificates to complete the chain of trust to the site certificate. At least, that's how it is supposed to work.
philipp
  • Top 25 Contributor
  • Moderator
5324 решений 23508 ответов
Размещено

hi, yes the diginotar certificates are included into firefox, but they are set to distrusted out of the box to protect users (it's not entirely obvious in the ui, but if you doubleclick the ca in the cert manager you'll get the detailed view where firefox tells you that those certs are distrusted).

firefox doesn't need to ship with any intermediate CAs built-in. every intermediate CA needs to chain up to a trusted root CA. firefox can verify the integrity of this chain as it comes across any new CA while browsing the web and cache the trust in such an intermediate cert for future use.

hi, yes the diginotar certificates are included into firefox, but they are set to distrusted out of the box to protect users (it's not entirely obvious in the ui, but if you doubleclick the ca in the cert manager you'll get the detailed view where firefox tells you that those certs are distrusted). firefox doesn't need to ship with any intermediate CAs built-in. every intermediate CA needs to chain up to a trusted root CA. firefox can verify the integrity of this chain as it comes across any new CA while browsing the web and cache the trust in such an intermediate cert for future use.
Размещено

Задавший вопрос

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено

arachnid said

Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

Hi arachnid, how does the server prove its site certificate can be trusted?

Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox.

This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist.

''arachnid [[#answer-1131232|said]]'' <blockquote> Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates. </blockquote> Hi arachnid, how does the server prove its site certificate can be trusted? Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox. This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist.
James
  • Top 25 Contributor
  • Moderator
1602 решений 11345 ответов
Размещено

To help prove the DigiNotar certificates have been distrusted (for almost seven years now).

https://www.mozilla.org/security/advisories/mfsa2011-34/ https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/

To help prove the DigiNotar certificates have been distrusted (for almost seven years now). https://www.mozilla.org/security/advisories/mfsa2011-34/ https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/
cor-el
  • Top 10 Contributor
  • Moderator
17580 решений 159053 ответов
Размещено

Note that the real Diginotar root certificate aren't present, but merely fake certificates that allow to add a permanent block exception under the Server tab, so even if the exception would be broken then the certificate could still be not used.

See:

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

Note that the real Diginotar root certificate aren't present, but merely fake certificates that allow to add a permanent block exception under the Server tab, so even if the exception would be broken then the certificate could still be not used. See: *[https://bugzilla.mozilla.org/show_bug.cgi?id=829677#c10 bug 829677#c10] - Remove cert entries for Actively Distrusted certs (<i>please do not comment in bug reports<br>https://bugzilla.mozilla.org/page.cgi?id=etiquette.html</i>)
Размещено

Задавший вопрос

jscher2000 said

arachnid said
Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates.

Hi arachnid, how does the server prove its site certificate can be trusted?

Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox.

This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist.

Yes, it exist. for instance Google Chrome, Edge, IE. They all download the intermediate certificates and store it in the certificates store. FF is also supposed to do it but based on information I received from a FF developer and specialist. It is a very old problem and the present developers doesn't seem to bother to solve it.

''jscher2000 [[#answer-1131254|said]]'' <blockquote> ''arachnid [[#answer-1131232|said]]'' <blockquote> Root certificates and Intermediate certificate has to come from a trusted source. A webserver is never a trusted source until it has been proven to be trusted. This is the task of certificates. </blockquote> Hi arachnid, how does the server prove its site certificate can be trusted? Root certificates come with Firefox. An intermediate certificate provided to Firefox by a site needs to be signed by a trusted root certificate, or by another intermediate certificate that was signed by a trusted root certificate. If there isn't a complete chain of trust between a certificate and a trusted root, it is not considered valid in Firefox. This seems to me to be a distributed system by design: it likely would be unsustainable to try to verify and ship all of the certificates. However, if you don't trust how this works, you could use a program that works differently, if any exist. </blockquote> Yes, it exist. for instance Google Chrome, Edge, IE. They all download the intermediate certificates and store it in the certificates store. FF is also supposed to do it but based on information I received from a FF developer and specialist. It is a very old problem and the present developers doesn't seem to bother to solve it.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.
Размещено

Задавший вопрос

jscher2000 said

Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

''jscher2000 [[#answer-1132036|said]]'' <blockquote> Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem. </blockquote> That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.
philipp
  • Top 25 Contributor
  • Moderator
5324 решений 23508 ответов
Размещено

this is not a security risk - firefox can cryptographically verify that an intermediate cert was issued by and is chaining up to a root ca that's placed in the browser's trust store.

this is not a security risk - firefox can cryptographically verify that an intermediate cert was issued by and is chaining up to a root ca that's placed in the browser's trust store.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено

arachnid said

jscher2000 said
Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

I think we are back where we started. The current system used by everyone (as far as I know) is:

  • Root certificates are supplied with the browser or the OS.
  • Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked.

You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question.

''arachnid [[#answer-1132040|said]]'' <blockquote> ''jscher2000 [[#answer-1132036|said]]'' <blockquote> Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem. </blockquote> That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location. </blockquote> I think we are back where we started. The current system used by everyone (as far as I know) is: * Root certificates are supplied with the browser or the OS. * Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked. You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question.
Размещено

Задавший вопрос

jscher2000 said

arachnid said
jscher2000 said
Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem.

That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location.

I think we are back where we started. The current system used by everyone (as far as I know) is:

  • Root certificates are supplied with the browser or the OS.
  • Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked.

You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question.

This is how it is supposed to work, the browser get information about the required intermediate certificate. It checks this information with the trusted root certificate and then is supposed to download the intermediate certificate by the supplier (not the webserver) FF and some other browsers do miss something in this step with new intermediate certificates. I have installed the intermediate manually, started the websites which are making use of it. Then I deleted cert9.db The intermediate certificate was not in the certificate manager. I started one of the site and FF did his work what he was supposed. Showing a trusted site.

This is a very old issue in FF based on information I have received from a FF developer.

''jscher2000 [[#answer-1132045|said]]'' <blockquote> ''arachnid [[#answer-1132040|said]]'' <blockquote> ''jscher2000 [[#answer-1132036|said]]'' <blockquote> Yes, some other browsers will go out on the internet and find an intermediate certificate the site did not send. Firefox does not do that. As far as I know, Firefox will not do that. Sites should be configured to send the correct certificate bundle and then there's no problem. </blockquote> That is a security risk, any root and intermediate must come from a trusted location. A webserver is not a trusted location. </blockquote> I think we are back where we started. The current system used by everyone (as far as I know) is: * Root certificates are supplied with the browser or the OS. * Intermediate certificates are NOT supplied with the browser or the OS, and before accepting them from wherever they are sourced on the web, the browser must determine they are validly signed by a trusted root, and not revoked. You may not like the idea that intermediate certificates are handled in that way -- by everyone -- but it is not a support question. </blockquote> This is how it is supposed to work, the browser get information about the required intermediate certificate. It checks this information with the trusted root certificate and then is supposed to download the intermediate certificate by the supplier (not the webserver) FF and some other browsers do miss something in this step with new intermediate certificates. I have installed the intermediate manually, started the websites which are making use of it. Then I deleted cert9.db The intermediate certificate was not in the certificate manager. I started one of the site and FF did his work what he was supposed. Showing a trusted site. This is a very old issue in FF based on information I have received from a FF developer.
jscher2000
  • Top 10 Contributor
8794 решений 71946 ответов
Размещено

Firefox is working as designed. This is not a support issue.

If you think Firefox should always double-check with a more official source the first time it receives a previously unknown intermediate certificate from a web server, you could raise the idea on the dev-security-policy mailing list:

https://lists.mozilla.org/listinfo/dev-security-policy

Firefox is working as designed. This is not a support issue. If you think Firefox should always double-check with a more official source the first time it receives a previously unknown intermediate certificate from a web server, you could raise the idea on the dev-security-policy mailing list: https://lists.mozilla.org/listinfo/dev-security-policy