Comment 10 for bug 476683

Binary package hint: firefox-3.5

Any site with a valid SSL certificate from GlobalSign is treated as invalid by Firefox 3.5. This is a regression; I can confirm it working correctly in 3.0 versions.

To replicate, go to https://globalsign.com and observe the warning. I have tried manually importing the GlobalSign certs, but even after removing the built-in object tokens from the authorities list, I get warnings that GlobalSign already exists. Upon restart of Firefox, the authorities appear correctly.

This happens on new installs. It is worth noting that this happens in the Windows version too, so the bug needs to be sent upstream as well.

I am marking this a sec vulnerability, as not being certain on the validity of GlobalSign certified sites opens a potential MITM risk.

ProblemType: Bug
Architecture: amd64
Date: Fri Nov 6 12:00:46 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: firefox-3.5 3.5.4+nobinonly-0ubuntu0.9.10.1
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic x86_64