Re: Certificate Exceptions

Thu, 01 Mar 2012 14:53:43 -0800 

On 03/01/2012 02:07 PM, Christopher Howard wrote:

Quick Firefox question here from one of your non-developer users: Say I
try to connect to a site over HTTPS, but I am presented with a "This
Connection is Untrusted" dialogue due to an invalid certificate
(self-signed, non-matching, etc.) If I make a permanent security
exception, does that exception only apply to that particular
certificate, or am I implicitly choosing to always connect to that site
regardless of what invalid certificate is provided?
No, you are implicitly trusting that particular certificate for that particular site. If that cert shows up for a different site, or that site shows up with a different cert which is not trusted, you would get a notification again. 


In the old module, you were implicitly trusting the certificate for any 
site. I don't remember when we switched over, Firefox 3 or Firefox 4. I 
think it was the former. Anyway any certs you trusted under the old 
model will still be trusted for all websites.



You can see the certs you trust by going to 
(Edit->Preferences->Advanced->Encryption->View Certificates). New model 
certs will show up with a value in the server field. Old model certs as 
well as new certs that are explicitly distrusted will show up with a '*' 
in that field. Unfortunately distrust is a relatively new feature, so 
the only way to tell if a cert is distrusted is to click 'Edit Trust' 
and see if distrust is marked.


What I'm getting at: Obviously when I make a security exception I am
taking a risk on that connection being a MitM. But am I also opening
myself up to future MitM attacks, if a new certificate was to be
provided later?

In neither the new or the old model, you aren't opening yourself to 
future MITM attacks beyond the cert you just trusted. In the old model, 
the cert you trust could be used to MITM you on other websites. If 
haven't continually updated your profile from FF-3, it's highly unlikely 
that you have any old model certs in your trust store.


bob







-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





















					Reply via email to