"David E. Ross" <[email protected]> wrote in message news:[email protected]... > On 12/6/11 4:44 AM, Desiree wrote: >> I have all Comodo related certs untrusted in all browsers since December >> 2008. I want to be alerted each time I go to a secure site that uses >> Comodo. I will then decide on a per site, one time only, exception basis >> if >> I wish to allow the exception or not. >> >> SM 2.5 has NO way to allow me to accept a Comodo cert used at Amazon.com >> when logging in there. The cert is for "images-na.ssl-images-amazon.com". >> I >> get an untrusted cert popup but all I can do is examine the cert. I >> cannot >> accept it. That means that I do get logged in because the main cert for >> Amazon is from Verisign and I have not disabled Verisign certs. But, >> because >> I cannot accept the Comodo cert on a one time basis, I have no images at >> Amazon after logging in. >> >> I have not tried other secure sites that use Comodo related certs with SM >> 2.5 but I would assume that I will not be able to use ANY of those sites >> with SM because there is no way to make a one time or permanent >> exception. >> >> Is this a known bug? >> >> >> > > On my SeaMonkey 2.5 installation (Windows XP), the > images-na.ssl-images-amazon.com domain chains through intermediate > certificate COMODO High-Assurance Secure Server CA to the root AddTrust > External CA Root without any problem. The intermediate certificate is > supplied by the amazon.com server, so that should not be any concern no > matter what you might have done to COMODO root certificates. Check the > trust bits for AddTrust External CA Root on your system to make sure > "This certificate can identify web sites." is checked. > > -- > > David E. Ross > <http://www.rossde.com/>. > I did say "all Comodo related certs" are untrusted in all my browsers. AddTrust is Comodo so it is UNtrusted.
The issue here is that I am seeing a BUG in SM. It will not allow me to do an exception (one time only or permanent) for the Comodo intermediate or AddTrust root certs. Is there a bug filed on this? Is it already known or what? (On Fx 4.01, I am also not shown the cert and not given a chance to accept it. On all other sites where Comodo related certs are used, Fx gives me a warning and I can make an exception). Opera 11.60 allows me to make a one time exception but then it claims that Amazon web site is INsecure and that I should leave the site. (It says it is insecure because Opera apparently is about to make good on its long time threat to refuse access to sloppy sites like Amazon that have not bothered to fix their insecure servers in regard to TLS renegotiation. Opera did state about six months or more ago in its security blog that it would refuse access to these insecure sites if they had not upgraded their servers by the end of 2011). Mozilla would have done the entire Internet community a tremendous favor if they had shown the guts to block all Comodo intermediate and root related certs in Fx and SM back in Dec 2008 when Eddy Nigg (founder of Start.com) was able to purchase a cert for mozilla.com from Comodo reseller and he had no official connection to Mozilla. Remember the huge uproar and recall that Mozilla devs told its users to block Comodo, at least for the time being, and then proceeded in the mozilla.dev.tech.crypto NG to seriously discuss blocking Comodo and all related certificate authorities permanently in Fx and SM? Most security knowledgeable users still block all Comodo related certs for several security reasons. Comodo is the largest cert provider in the world and Mozilla would have done a great favor to all netizens to have forced Melih to comply with proper standards or go belly up. _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
