Hi Andrew, We can't test by deleting "AAA Certificate Services" directly, we have to disable it. Because if we try delete, after refresh the testing target website, **Firefox will automaticlly restore "AAA Certificate Services"** into its truststore.
I reproduced by following steps: - Install firefox nightly, which my version is Firefox Nightly 139.0a1 (2025-04-16). - Open firefox and get into its setting, search box input "certificate" and open "Certificate manager" in results. - Click "Authorities" Tab. - Edit trust for "Comodo AAA Certificate Services" under the group "Comodo CA Limited", Disable all trust items. - Refresh the target site, https://www.relialabtest.com, it should alert "Error code: SEC_ERROR_UNKNOWN_ISSUER". If you have a better method to disable firefox auto upgrading truststore, please mention me. Thank you Ara On Tuesday, April 15, 2025 at 7:58:09 AM UTC+8 Andrew Ayer wrote: > On Mon, 14 Apr 2025 16:10:47 -0700 (PDT) > Arabella Barks <[email protected]> wrote: > > > The key issue is that the alternative path AIA doesn't function on > > Firefox. Please attempt to remove the AAA Certificate Services from > > your Firefox browser(to simulate what Ben and Mozilla's plan) and > > then refresh the page at https://www.relialabtest.com. > > Firefox will alert this website as insecure. > > I'm not able to reproduce this with either Firefox 137.0.1 or Firefox > 128.9.0esr. > > Although Firefox doesn't implement AIA, it does have Intermediate > Preloading[1], which enables Firefox to build an alternative chain to > another trust anchor. > > Note it seems to take a brand new Firefox profile a few minutes to > download the Intermediate Preloading data, during which time you do get a > certificate error. Could that potentially explain the error you got? > > Regards, > Andrew > > [1] > https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/ > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6b554df0-8b3c-47af-997a-527ec5b93faen%40mozilla.org.
