Most Popular

Login:

Your Login Details


Forget Your Password?

Create an account

SSL Certificates in Firefox 3.5

Firefox 3.5 was released yesterday and it offers some important improvements in speed and new web standards. It also makes a few changes to the way that SSL Certificates are handled. Primarily, it changes how SSL errors are displayed:

SSL Error in Firefox 3.5

The SSL certificate errors in Firefox 3.5 place great importance in making it clear to users that there is a problem with the certificate on a site. In some cases, the "Technical Details" section, which actually explains what is wrong, is not even shown until the user clicks on it. Further, if the user still wants to continue to the site (if the site is using a self-signed certificate, for example), he will have to click on "I Understand the Risks" and then the "Add Exception" button. This adds an extra click to the process of approving a self-signed certificate. While this seems small, many Firefox 3.5 users will likely complain just like they complained about the way that SSL Errors are handled in Firefox 3.0.

EV SSL Certificates

GlobalSign EV in Firefox 3.5The interface for EV SSL Certificates is the same, but there appears to be an issue with EV certificates issued by Globalsign, Trustwave, and CyberTrust. EV certificates issued by these providers, including the certificate on Mozilla's own https://addons.mozilla.org, are displayed as normal SSL Certificates with the blue bar instead of the green bar.

It appears that this is caused by certificates from those providers not having OCSP set up correctly. A bug report has been submitted about it, and users have asked about it ,but more information should be provided soon. Thanks to Paul Smith for informing us of this issue.

Multi-level domains and Wildcard Certificates

It appears the new update has changed the way that Firefox uses Wildcard certificates. Previous versions of Firefox would let you use a wildcard certificates for *.example.com to secure www.site1.example.com. It now will only allow wildcard certificates to work on the first level of subdomains just like Internet Explorer. This was apparently intended and no plans to revert to the previous behavior have been found.

Digg del.icio.us Reddit

Posted on July 01, 2009
answers
Posts: 1
Comment
Broken CRL support is the cause
Reply #2 on : Fri July 10, 2009, 15:42:47
The issue, as acknowledged by Mozilla is that their CRL code is not working properly for validation of EV's that rely solely on CRL for revocation status.

If you have a Trustwave issued EV certificate and are experiencing this behavior, you have two options. 1) wait for the pending mozilla patch - which will fix this issue. OR 2) Ask Trustwave to reissue the certificate. The reissued certificate will contain a OCSP based revocation path and work properly in FF 3.5.
allenkelly
Posts: 1
Comment
OCSP
Reply #1 on : Tue July 07, 2009, 10:50:23
"It appears that this is caused by certificates from those providers not having OCSP set up correctly."

Any updates on what was "officially" causing this?

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment