GlobalSign SSL Certificates Treated as Invalid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Invalid
|
High
|
|||
firefox-3.5 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: firefox-3.5
Any site with a valid SSL certificate from GlobalSign is treated as invalid by Firefox 3.5. This is a regression; I can confirm it working correctly in 3.0 versions.
To replicate, go to https:/
This happens on new installs. It is worth noting that this happens in the Windows version too, so the bug needs to be sent upstream as well.
I am marking this a sec vulnerability, as not being certain on the validity of GlobalSign certified sites opens a potential MITM risk.
ProblemType: Bug
Architecture: amd64
Date: Fri Nov 6 12:00:46 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelMo
Package: firefox-3.5 3.5.4+nobinonly
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic x86_64
Changed in bugzilla: | |
status: | Unknown → New |
visibility: | private → public |
Changed in firefox-3.5 (Ubuntu): | |
status: | New → Incomplete |
Changed in bugzilla: | |
status: | New → Invalid |
affects: | bugzilla → firefox |
Changed in firefox: | |
importance: | Unknown → High |
I want to add that the roots in question are available here:-
Current Root embedded in FF3RC2 secure. globalsign. net/cacert/ Root.crt
http://
Proposed Root to be embedded (Same key material) secure. globalsign. net/cacert/ Root-R1. crt
http://
thanks.