Any site with a valid SSL certificate from GlobalSign is treated as invalid by Firefox 3.5. This is a regression; I can confirm it working correctly in 3.0 versions.
To replicate, go to https://globalsign.com and observe the warning. I have tried manually importing the GlobalSign certs, but even after removing the built-in object tokens from the authorities list, I get warnings that GlobalSign already exists. Upon restart of Firefox, the authorities appear correctly.
This happens on new installs. It is worth noting that this happens in the Windows version too, so the bug needs to be sent upstream as well.
I am marking this a sec vulnerability, as not being certain on the validity of GlobalSign certified sites opens a potential MITM risk.
Binary package hint: firefox-3.5
Any site with a valid SSL certificate from GlobalSign is treated as invalid by Firefox 3.5. This is a regression; I can confirm it working correctly in 3.0 versions.
To replicate, go to https:/ /globalsign. com and observe the warning. I have tried manually importing the GlobalSign certs, but even after removing the built-in object tokens from the authorities list, I get warnings that GlobalSign already exists. Upon restart of Firefox, the authorities appear correctly.
This happens on new installs. It is worth noting that this happens in the Windows version too, so the bug needs to be sent upstream as well.
I am marking this a sec vulnerability, as not being certain on the validity of GlobalSign certified sites opens a potential MITM risk.
ProblemType: Bug dules: nvidia -0ubuntu0. 9.10.1 ature: Ubuntu 2.6.31- 14.48-generic
Architecture: amd64
Date: Fri Nov 6 12:00:46 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelMo
Package: firefox-3.5 3.5.4+nobinonly
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic x86_64