Security Certificate only valid for IE

Bug #392691 reported by shanen (Shannon Jacobs) on 2009-06-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Nominated for 3.5 by mts
Nominated for 3.6 by mts
firefox-3.0 (Ubuntu)

Bug Description

Not sure exactly where to report this, but the problem is really a kind of anti-Firefox problem. The security certificate is supported by IE, but returns the error message below from Firefox. I've tested it both in Ubuntu and under Windows (in the same machine where IE accepts it). I'd laugh it off as typical Japanese incompetence or nationalism or even xenophobia, but NTT (parent company of NTTPC) is actually one of the largest companies in Japan and a key player in the Japanese parts of the Internet. Or maybe they just want to support Microsoft and interfere with Firefox users? Can't Firefox add the appropriate certificate authority? (Yeah, I assume it's some minor fly-by-night security authority, but at least large enough for NTT to do business with.) I've attached the exported security certificate, too, though I'm not sure how to read it by itself.

Secure Connection Failed uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

Figured out how to read it, though not how to cut and paste it into this system (though I'd think some expert there should be able to figure it out from the file I attached?). So here is the scoop on the anti-Firefox security certificate:

Common Name: GlobalSign Domain Validation CA
Organization: GlobalSign-nv-sa
Organizational Unit: Domain Validation CA

I don't know if it's a legit company, but NTT is supposed to be legit, and they're using this operation as the source of their so-called security. Also, Microsoft Explorer apparently accepts it.

Hmm... Could I validate it by somehow importing the root certificate from IE into my Firefox?

More data: There appear to be two GlobalSign root certificates--and they are already installed. Here is a case-by-case report of what I know:

In Ubuntu (with Firefox, of course), the NTTPC certificate fails, reporting that GlobalSign is not known. Looking in the list of installed certificates, it shows two root certificates for GlobalSign. When I copied the corresponding certificate from a Windows machine and tried to import it, I was told that the certificate is already installed.

In Windows using IE, the NTTPC certificate works, and the HTTPS connection is established.

In Windows using Firefox, the NTTPC certificate fails, with the identical error report as in Ubuntu. That was on the same Windows machine where IE worked.

Seems like there is something wrong with the way Firefox handles this certificate, but I can't imagine what it is. What additional data should I search for?

Micah Gersten (micahg) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This bug did not have a package associated with it, which is important for ensuring that it gets looked at by the proper developers. You can learn more about finding the right package at I have classified this bug as a bug in firefox-3.0.
For future reference you might be interested to know that a lot of applications have bug reporting functionality built in to them. This can be accessed via the Report a Problem option in the Help menu for the application with which you are having an issue. You can learn more about this feature at

affects: ubuntu → firefox-3.0 (Ubuntu)

I've had trouble with that new bug reporting feature you mentioned, so I have mostly been bypassing it. I should try to go back to it to see if the bugs have been worked out of the bug reporting...

As regards this bug, I just installed Firefox 3.5, and I can confirm that the same problem exists there, too. I don't know how to link the two reports, but there is a separate discussion of this same problem involving the GlobalSign certificate. I'm not an expert, so I can't really say, but if I understand the situation roughly correctly, IE is doing some sloppy and basically unsafe form of error recovery. The actual error is in the configuration of the NTTPC server and involves some intermediate certificates, but the NTTPC people are either incompetent or anti-Firefox, or both. (I have trouble buying the pure incompetence explanation, since they are part of the conglomerate of the largest phone company in Japan, and ostensibly are major players in the Japanese Internet. Other subsidiaries focus on backbone services and portable phones, for examples.) However, because Microsoft gets to ram their standards down everyone's throats, it seems that Firefox should handle the situation differently.

When I think about it that way, it seems the proper solution would be for Firefox to check for the IE-only situation and explain why Microsoft's so-called solution is bad. Users would still have the manual override, with or without the permanent option, but the blame for the situation would be properly distributed between Microsoft and the anti-Firefox websites. (Alternatively, Firefox could adopt Microsoft's flawed implementation, but I don't like bad standards just because Microsoft said so.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments