[Bug 476683] [NEW] GlobalSign SSL Certificates Treated as Invalid
Launchpad Bug Tracker
476683 at bugs.launchpad.net
Thu Nov 26 09:11:28 UTC 2009
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug:
Binary package hint: firefox-3.5
Any site with a valid SSL certificate from GlobalSign is treated as
invalid by Firefox 3.5. This is a regression; I can confirm it working
correctly in 3.0 versions.
To replicate, go to https://globalsign.com and observe the warning. I
have tried manually importing the GlobalSign certs, but even after
removing the built-in object tokens from the authorities list, I get
warnings that GlobalSign already exists. Upon restart of Firefox, the
authorities appear correctly.
This happens on new installs. It is worth noting that this happens in
the Windows version too, so the bug needs to be sent upstream as well.
I am marking this a sec vulnerability, as not being certain on the
validity of GlobalSign certified sites opens a potential MITM risk.
ProblemType: Bug
Architecture: amd64
Date: Fri Nov 6 12:00:46 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: firefox-3.5 3.5.4+nobinonly-0ubuntu0.9.10.1
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic x86_64
** Affects: firefox
Importance: Unknown
Status: Invalid
** Affects: firefox-3.5 (Ubuntu)
Importance: Undecided
Status: Invalid
** Tags: amd64 apport-bug
--
GlobalSign SSL Certificates Treated as Invalid
https://bugs.edge.launchpad.net/bugs/476683
You received this bug notification because you are a member of Mozilla Bugs, which is subscribed to Mozilla Firefox.
More information about the Ubuntu-mozillateam-bugs
mailing list