Comment 4 for bug 476683

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4) Gecko/20091028 Ubuntu/9.10 (karmic) Firefox/3.5.4
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4) Gecko/20091028 Ubuntu/9.10 (karmic) Firefox/3.5.4

Any site with a valid SSL certificate from GlobalSign is treated as invalid by Firefox 3.5. This is a regression; I can confirm it working correctly in 3.0 versions.

To replicate, go to https://globalsign.com and observe the warning. I have tried manually importing the GlobalSign certs, but even after removing the built-in object tokens from the authorities list, I get warnings that GlobalSign already exists. Upon restart of Firefox, the authorities appear correctly.

This happens on new installs. It is worth noting that this happens in the Windows version too.

I am marking this a sec vulnerability, as not being certain on the validity of GlobalSign certified sites opens a potential MITM risk.

This is almost certainly related to Bug 474606. This same bug is filed downstream against Ubuntu's Firefox 3.5 package at https://bugs.launchpad.net/ubuntu/+source/firefox-3.5/+bug/476683.

Following is the Launchpad debug information:
ProblemType: Bug
Architecture: amd64
Date: Fri Nov 6 12:00:46 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: firefox-3.5 3.5.4+nobinonly-0ubuntu0.9.10.1
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic x86_64

Reproducible: Always

Steps to Reproduce:
1. Go to any GlobalSign certified site (e.g. https://globalsign.com)
2. Observe the warning, and that the certificate information is correct