Greetings, I tested it in Firefox, and the website provided me with a certificate issued by Cloudflare chaining up to an SSL.com root. Ben
On Fri, Apr 18, 2025 at 7:06 AM Arabella Barks <[email protected]> wrote: > Hi Andrew, > > We can't test by deleting "AAA Certificate Services" directly, we have to > disable it. > Because if we try delete, after refresh the testing target website, > **Firefox will automaticlly restore "AAA Certificate Services"** into its > truststore. > > I reproduced by following steps: > - Install firefox nightly, which my version is Firefox Nightly 139.0a1 > (2025-04-16). > - Open firefox and get into its setting, search box input "certificate" > and open "Certificate manager" in results. > - Click "Authorities" Tab. > - Edit trust for "Comodo AAA Certificate Services" under the group "Comodo > CA Limited", Disable all trust items. > - Refresh the target site, https://www.relialabtest.com, it should alert > "Error code: SEC_ERROR_UNKNOWN_ISSUER". > > If you have a better method to disable firefox auto upgrading truststore, > please mention me. > > Thank you > Ara > On Tuesday, April 15, 2025 at 7:58:09 AM UTC+8 Andrew Ayer wrote: > >> On Mon, 14 Apr 2025 16:10:47 -0700 (PDT) >> Arabella Barks <[email protected]> wrote: >> >> > The key issue is that the alternative path AIA doesn't function on >> > Firefox. Please attempt to remove the AAA Certificate Services from >> > your Firefox browser(to simulate what Ben and Mozilla's plan) and >> > then refresh the page at https://www.relialabtest.com. >> > Firefox will alert this website as insecure. >> >> I'm not able to reproduce this with either Firefox 137.0.1 or Firefox >> 128.9.0esr. >> >> Although Firefox doesn't implement AIA, it does have Intermediate >> Preloading[1], which enables Firefox to build an alternative chain to >> another trust anchor. >> >> Note it seems to take a brand new Firefox profile a few minutes to >> download the Intermediate Preloading data, during which time you do get a >> certificate error. Could that potentially explain the error you got? >> >> Regards, >> Andrew >> >> [1] >> https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/ >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZs0t-wkGytEgDisWMtpHwO2otEs5vhYpbnHWyU44K3%3Dg%40mail.gmail.com.
