Also, why am I unable to edit the cert issued to
http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert
Manager? I want to trust this cert but when I use edit and click the trust
button upon closing the Certificate Manager my edit is reversed and the do
not trust button is chosen.
Even after all this hassle, Fx will not open
http://www.microsoft.ipsos.com/. I don't know if the Microsoft server is
misconfigured or not but it shouldn't matter since I imported both Certs to
the Fx Cert Manager except Fx won't let me change the trust on the Microsoft
cert and perhaps if I could do that then Fx would open the site.
The Mozilla store only includes root certificates. The VeriSign Class 3
Secure Server CA is an intermediate certificate; it is signed by the
Verisign "Class 3 Public Primary Certification Authority" root, which is
in Firefox (and has been for some time).
If your website uses a certificate which is signed by the one you
mention, you need to place a copy of the intermediate certificate on the
webserver also, in line with instructions provided by your server vendor
and/or by Verisign. Otherwise, Firefox will not be able to follow the
certificate chain to the root.
IE will also have a similar problem, but only if it has never
encountered a correctly-configured web server (i.e. it caches
intermediate certs). So IE in new installs of Windows will also have the
> Also, why am I unable to edit the cert issued to
> http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert
I don't quite understand what you mean by "took from IE and put in the
Fx Cert Manager". Could you explain more about exactly what you did?
> I want to trust this cert but when I use edit and click the trust
> button upon closing the Certificate Manager my edit is reversed and the do
> not trust button is chosen.
If you want to trust this cert directly, visit the site in Firefox and
choose "Accept this certificate permanently" from the dialog which
results. The certificate will then appear in Firefox in Preferences |
Advanced tab | Encryption sub-tab | View Certificates button | Web Sites
tab. Your browser (but not anyone else's) will then visit the site in
future without error. But you would be far better off getting the server
I don't have a server. I am a user who got an email from Microsoft asking me
to participate in a global survey of Microsoft's customer service. I clicked
on the link to the survey and Fx, being my default browser, dutifully went
to the site and threw up a message that the site's cert could not be trusted
and asked what I wanted to do. I have had this happen many times with
Microsoft's sites and Frank Hecker's answers, not withstanding, it irritates
the hell out of me and it makes Fx look stupid. This needs fixing. Average
users are beginning to ask what is wrong with Fx. In this case, Opera also
throws up the cannot be trusted popup but IE has no problems. I don't want
to use IE and I don't want to worry that the email I got was actually a
phishing email and that I will end up on a phishing site if I tell Fx to
trust the cert one time.
There is no dialog when I try to visit the site that would allow me to
"Accept this certificate permanently" . Fx refuses to make any connection to
the site because it doesn't trust the Microsoft cert and I can't change it
in edit to trust.
As for root certs...Verisign has stopped that. They are no more. Verisign
certs are NO LONGER signed by a root authority. They have switched to an
intermediate authority only. They have spent two years switching and just
finished this month...hence all the problems because Fx hasn't kept up! Fx
will have to incorporate this intermediate cert eventually as Verisign has
finished the process to a two step cert. They are keeping the root certs for
another year only for legacy reasons. I know that Fx doesn't have
intermediate certs but it better change that soon and I assumed that it
already had. Explain to me how Fx is going to handle Verisign 2 step certs
if it won't keep the intermediate cert in the store?
I don't care if Microsoft has a misconfigured server and I don't really
think that is the problem. I simply want Fx to accept the cert which it
should be doing.
Then you should reply and tell them their site is misconfigured, and
that it throws up security warnings, and they should fix it. You can
even tell them how to, as we've explained it in this thread.
> There is no dialog when I try to visit the site that would allow me to
> "Accept this certificate permanently" .
That's strange - I get one.
> As for root certs...Verisign has stopped that. They are no more. Verisign
> certs are NO LONGER signed by a root authority. They have switched to an
> intermediate authority only. They have spent two years switching and just
> finished this month...hence all the problems because Fx hasn't kept up!
The way it works is that certificates are in a chain. It used to be a
chain of only two - the website cert -> the root cert. Verisign, for
very good reasons, has switched to a chain of three - website cert ->
intermediate cert -> root cert. And it's the webserver's responsibility
to provide all the certs in the chain except the root.
So the webserver certs are still signed by a root authority, indirectly.
If they were not in a chain of trust linking to a root, then no browser
would trust them.
> already had. Explain to me how Fx is going to handle Verisign 2 step certs
> if it won't keep the intermediate cert in the store?
> I don't care if Microsoft has a misconfigured server and I don't really
> think that is the problem. I simply want Fx to accept the cert which it
> should be doing.
No, it shouldn't.
I can create a cert which claims to be a "VeriSign Class 3 Secure Server
CA" and sign my webserver's cert with it. If you then visit my website,
you'll get exactly the same error as you see at the ipsos.com site. The
ipsos one is genuine and my one isn't - but there's no way Firefox can
tell that without a copy of the intermediate cert.
Eddy has pointed out that this isn't quite correct; IE uses a
non-standard method to try and find and download the intermediate cert.
So you may not encounter problems in any version of IE. But, as Melelina
says, you will get problems in Opera and other browsers as well as Firefox.
No, it is not fake. The cert is issued to www.microsoft.ipsos.com by
Verisign. Fx borks at this and says Verisign is an untrusted issuer because
it doesn't have the NEW Verisign cert in the store. The new Verisign cert is
an INTERMEDIATE cert and it matters not the slightest that Fx traditionally
has not stored intermediate certs. It has to now and why isn't it? Verisign
no longer uses the old fashioned Root certs. They have slowly switched over
the past two years to a two step intermediate certifIcation.
Granted, Microsoft evidently hasn't properly configured their server and the
certs are not being sent correctly. But, since I went and downloaded the
Verisign intermediate cert and placed it in the Fx Cert Manager and then
exported the cert issued by Verisign to www.microsoft.ipso.com to my desktop
and then imported it to the Cert Manager for Fx, I should not be having Fx
refuse to connect to the site. Maybe I put the microsoft cert in the wrong
section of the Certificate Manager and that might be why I can't edit it. I
put it under the Web tab. It may better be under "other people's". I think
the problem with the editing might be that there is no "ok" button on the
edit popup and the popup extends beyond the width of my screen so it is hard
to even close the edit popup. I'm on my old 98SE machine as my XP Pro one
year old machine is awaiting a second replacement mobo (first was doa) and
it won't boot but I think there is an ok button on that edit screen and it
is not showing up on 98SE.
I had to end up using IE and going to the site and then the survey took
about 20 minutes (I've done these many times for Microsoft) and because I
was on IE, not Fx, at the end of the survey where you are invited to tell in
your own words (as many words as you want) the most important things
Microsoft can do to gain customer trust and approval, after writing about
six paragraphs, I went to submit the survey (it is personalized based on
your initial and later answers and is a cool survey) and got an error that
the session had timed out. That has never happened on Fx but I recalled
later that it happened the other time I used IE because of concern with Fx
not accepting the cert and that was about a year ago.
I want to use Fx at Microsoft sites and I am very tired of Fx problems with
Microsoft certs and now there is the problem of Fx not having the new
Verisign intermediate cert and it wanting to rely on root certs that are no
longer used by Verisign. At least this is what I understand the situation
to be from threads at Mozillazine and dslreports security forum, etc. If
this is not the case please enlighten me.
At our CA, we have a robot checking for missing ICA certificates....and
send an appropriate message to the subscriber...
IE 7 will throw the error but the solution is to download the new root cert
update from Microsoft for IE 7 and also IE6.
http://support.microsoft.com/?scid=kb%3Ben-us%3B931125&x=11&y=12 It has the
Verisign immediate cert and others that Fx doesn't have.
I'm tired of hearing that IE uses a non-standard method to find and download
the intermediate cert. At any rate that is moot, because the cert is
included in the update I just mentioned. I still want to know why Fx doesn't
have the intermediate cert from Verisign.
Ah! A voice of sanity. Of course, Fx should have some method of obtaining
these intermediate certs so that the user doesn't have to go look for them
themselves as I have done! Microsoft and other sites are not going to fix
their servers that quickly...if ever and Fx should have a way to work around
that instead of haughtily insisting that standards aren't being met and that
the poor user should just contact the website with the misconfigured server
and complain. That is not realistic to ask that of the average Fx user.
What the reality is currently is that Fx refusing to figure out a way, as IE
has, to get these intermediate certs installed when servers are
misconfigured is that Fx is encouraging the user to just ignore any popup
warnings about the certs and to just click to accept any and all. It makes
for a jaded user and invites security problems. In respect to how certs are
handled, much as i love Fx, I think IE is superior in this regard.
But having said that, fighting MS is doing it the hard way...and
depending the policy of Mozilla (which does some non-standard things if
forced to ;-)), perhaps we should "fix" it the same way...does anybody
know if such a bug already exists?
> What the reality is currently is that Fx refusing to figure out a way, as IE
> has, to get these intermediate certs installed when servers are
> misconfigured is that Fx is encouraging the user to just ignore any popup
> warnings about the certs and to just click to accept any and all. It makes
> for a jaded user and invites security problems. In respect to how certs are
> handled, much as i love Fx, I think IE is superior in this regard.
It's not....but as usual creates problems for all the others...we have
seen that in bad web site designs by webmasters and some sites which
"don't work" in Mozilla, Opera...But Mozilla had to work around this
problems as well...so this perhaps another one to tackle...?
BTW, the ICA certificates gets installed into the IE cert store
permanently after fetching them...but they weren't there from the
beginning. If you'd import now the same ICA cert into the authorities
store at Firefox you should be OK as well...for now...
> The cert is issued to www.microsoft.ipsos.com by Verisign.
Or it appears to be.
> I want to use Fx at Microsoft sites and I am very tired of Fx problems with
> Microsoft certs
But you haven't yet shown any evidence of FF having a problem with a
Microsoft site. The site you cited is NOT a Microsoft site. The cert
for that server claims to have been issued to:
O = IPSOS-REID Corporation
L = Winnipeg
ST = Manitoba
C = US
(Heh, I guess the US must have annexed Manitoba when I wasn't looking. :)
If you DO have troubles with real Microsoft web sites, you can let me know.
I have contacts among Microsoft web site admins, and when I report a
problem with their servers, they often (not always) get fixed.
They always reply, somewhat red faced, that they only tested with IE.
I have no contacts in Manitoba.
> and now there is the problem of Fx not having the new
> Verisign intermediate cert
Verisign's class 3 intermediate CA cert is not new. It was issued on
April 16, 1997, 10 years ago (next month). It has been continuously
in use by thousands of web sites all that time, with NO difficulty by
Recently, Verisign discontinued issuing certs from their older "RSA
security" root. Their customers (web site administrators) had been
using server certs issued from the old RSA Security root for years,
and had never in their lives ever installed an intermediate CA cert
into their servers. Then, when they applied for renewed certs, they
got certs issued by Verisign's class 3 intermediate CA. Verisign's web
site explained to its subscribers the need to install the Intermediate
CA cert into their servers.
even in other languages (such as Japanese, here translated into English):
But many Verisign customers took no notice of those instructions. So,
those web sites, operated by people who didn't read the notices, now have
The fault isn't FireFox's, nor Verisign's.
> and it wanting to rely on root certs that are no longer used by Verisign.
Wrong, on several counts.
1. Verisign's old RSA Security Secure Server authority cert doesn't
expire until 2010. Until then, server certs issued by that CA will
continue to validate against that root CA cert.
2. ALL certs are verified by following a "chain" (or "path") of
CA certs, beginning with the issuer of the server cert, then the issuer
of that cert, and so on, until we come to a root CA cert (which is its
own issuer). If the chain is incomplete, so that we cannot follow it
all the way to the root, then the server cert cannot be verified.
Servers that send out incomplete cert chains are violating the standards
for SSL 3.0 and/or TLS (SSL 3.1), which require servers to send out
their entire cert chains, up to (but not including) the root CA.
An SSL server that doesn't send its intermediate CA certs is simply
non-conformant and mis-configured.
RFC 2246, the standard definition of TLS (SSL 3.1) says:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate which specifies the
root certificate authority may optionally be omitted from the
chain, under the assumption that the remote end must already
possess it in order to validate it in any case.
Yes, there is a standard for certs that allows (but does not require)
"relying parties" to go search on the internet for missing intermediate CA
certs. But that standard does NOT relieve SSL servers of the obligation to
send their entire server cert chains (minus the root CA cert, which is
> At least this is what I understand the situation to be from threads at
> Mozillazine and dslreports security forum, etc. If this is not the case
> please enlighten me.
Ah yes, those fonts of indisputable truth. :)
The problems need to be fixed where they exist, in the misconfigured
servers. Of course, it's easier to complain to mozilla, where in many
cases you're more likely to get a reply, but the problem will be fixed
when a sysadmin in Winnipeg fixes his server configuration. Maybe
you can help him/her hasten that day.
/Nelson B (mozilla SSL developer, IETF TLS member, co-author RFC 4492)
Eddy Nigg (StartCom Ltd.) wrote:
>> I can create a cert which claims to be a "VeriSign Class 3 Secure Server
>> CA" and sign my webserver's cert with it. If you then visit my website,
>> you'll get exactly the same error as you see at the ipsos.com site.
Nelson Bolyard wrote:
> Yes, there is a standard for certs that allows (but does not require)
> "relying parties" to go search on the internet for missing intermediate CA
Do you have the quote from the corresponding RFC for this?
> But that standard does NOT relieve SSL servers of the obligation to
> send their entire server cert chains
Sigh. It is a Microsoft partner site. On
is a statement that says:
"If you have received a Microsoft branded e-mail invitation from Ipsos
Loyalty (@satisfaction.microsoft.com) to participate in this research, you
can trust that the invitation was sent on our behalf. This is a valid
This is ipsos which is headquartered in Paris but has North American offices
one of which is in Canada:
I should have known better than to bring up the Fx certs issue. It is one of
the weak spots in Fx and I'm tired of the problems. I'm also tired of giving
the IE fanatics ammunition against Fx. You didn't explain anything I didn't
already know. You just blamed the server at the Ipsos site. IE has no
problems getting the certs. In essence you could be thought to be saying
"just use IE" as you offered excuses and pointed blame away from Fx. Maybe
the blame is on a misconfigured server but finger pointing doesn't get the
problem solved. You did not offer one constructive idea of how to fix this
sort of problem that Fx has, but IE doesn't, other than complain to the
webmaster or better just go "use IE".
If you install a web page wrongfully on your web server and the page
doesn't render, who do you have to blame? The browser? Of course
not...so in this case, this is a problem of the server admin as well...
> but finger pointing doesn't get the
> problem solved. You did not offer one constructive idea of how to fix this
> sort of problem that Fx has, but IE doesn't, other than complain to the
> webmaster or better just go "use IE".
I'd rather suggest *not* to visit that site and *not* participate in any
survey until the problem is fixed! Obviously this site doesn't really
give you a good feeling...judging from the URL, certificate installation
etc....I wouldn't provide any data...But perhaps this is what it's all
about? Maybe they don't want non-microsoft - non-IE users to
Oh, I just went to the site on IE and did the survey on IE. I have done
these surveys before but quite awhile since one from this Microsoft partner.
I just went to the http://www.microsoft.com/mscorp/marketing_research/ site
again a couple of hours ago and up popped a request for me to do another
survey! I was supposed to surf about and then come back and do the survey.
Fx didn't bork on this...but this survey by CmScore is not https because the
answers are anon. The earlier survey asks permission to link my answers to
my Microsoft Profile so I can be contacted for further explanation of my
answers especially the last one where I type several paragraphs about what
is the one thing Microsoft can do to gain better customer trust and
The thing is having to do it on IE was a bummer because the same thing
happened that happened once before using IE for one of these surveys. I took
considerable pains at the end to type about six paragraphs regarding what
one thing Microsoft can do to improve customer satisfaction and trust. I
went to submit the survey and got a error saying it had timed out. I tried
to go back to the previous page where those six paragraphs were and
couldn't. I was mad! So, I didn't submit the survey and I wrote the email
address we were given if we had questions or problems. The irony here is
that if I had just accepted the cert on Fx and done the survey on Fx, I am
almost certain that if I got a time out at the end that I could have gone
back to the previous page where those six paragraphs were and saved all the
answers (the survey is so long that you are periodically offered the chance
to save your answers and finish it another time) and then later come back
and submitted. IE has a flaw in this regard that Fx doesn't.
I certainly agree that, if possible, Fx should fetch those intermediate CA
certs like IE does. This not the first time I have encountered a problem
like this with Fx and I have asked earlier for some resolution besides
contacting the "naughty" webmaster who didn't read the Verisign emails and
thus doesn't have his server properly configured. I, the end user, should
not need to do that or to scratch my head and wonder if I should accept the
cert "for this time only", etc.
What's different about 1.0? Someone I know fairly well stated that he had no
problems with Fx 1.0 at the site.
> Nelson Bolyard wrote:
>> Yes, there is a standard for certs that allows (but does not require)
>> "relying parties" to go search on the internet for missing
>> intermediate CA certs.
> Do you have the quote from the corresponding RFC for this?
It's RFC 3280 section 22.214.171.124, Authority Information Access
Too big to quote here.
>> But that standard does NOT relieve SSL servers of the obligation to
>> send their entire server cert chains
Later, Eddy wrote:
> If there is such a standard which suggests it as an option, than I think
> Mozilla should implement it....
We're working on it. Now up to 60,000 lines of new code for it, and
still growing. This feature is actually necessary in "bridge CA" (a.k.a.
"Cross certified CA" infrastructures, which are now beginning to emerge,
mostly in Asia.
Earlier, Eddy wrote:
> At our CA, we have a robot checking for missing ICA certificates....and
> send an appropriate message to the subscriber...
And by "the subscriber", Eddy means the web site administrator who
acquired the cert for his server.
Eddy, that's brilliant. It's a service that adds tremendous value for your
subscribers and all their users/customers. I wish more CAs did that.
Countless users have whined to mozilla with messages saying (in effect)
"your browser sucks because it isn't just like IE". Mozilla's answer has
generally been this: Mozilla products work with all web sites that conform
to the relevant standards. This thread is no different in any respect.
There are some people for whom the best answer is "use IE". Those are
people who insist that any product that doesn't render their favorite web
site as well as IE is therefore inferior to IE. Those people will never be
satisfied with anything but IE, and they should stop whining and use IE.
People who say they really prefer mozilla browsers, but can't or won't use
them because things are rendered differently than IE, are merely advocates
for IE, trying to disguise their advocacy. To such writers, I say,
If you want IE's behavior rather than standards-based behavior, you can
get it all you want, by using IE. Please do. You won't make any friends
here by continuing to belittle mozilla browsers for not being IE.
I have not whined about Firefox, SeaMonkey not being just like IE. If I
wanted a browser that was just like IE then I would use it. Why would I be
here trying to get something that needs fixing in Firefox fixed if I liked
I am trying to discuss a security issue that has nothing to do with how a
page looks in Mozilla as opposed to IE. I'm a realist and a practical
person. Mozilla developers appear sometimes to have their heads in the
clouds. I don't know whether the webmaster of the site goofed or not since
the relevant certs are there for IE to collect although evidently the
webmaster didn't do any of this to standards...but quick and dirty so to
speak or more specifically perhaps I should say that IE collects them in a
quick and dirty manner not up to "standards".
I am asking why Mozilla expects its users to fix this problem themselves by
contacting the webmaster of every page on the internet where the server is
misconfigured because the webmaster didn't read his Verisign mail. And what
is the individual to do while they wait for the webmaster to finally fix his
server? You are being very impractical. I see Fx 2.0 as being dumbed down in
some security/privacy areas (that is why I won't use it) and the reasons
given for this is that Mozilla has to appeal to the unwashed masses who
don't understand many things that were in versions up to 2.0 and thus
removed, or made less secure/private in 2.0, or hidden from the GUI. So,
using that reasoning why does Mozilla hide behind meeting "standards" as a
reason to not fix this particular problem? Don't the unwashed masses that
Mozilla wishes to appeal to deserve better?
BTW, I have used Mozilla browsers as my default browser since the days of
Phoenix and I resent your implying that I am some IE advocate in disguise.
Also, for whatever it is worth, the best version of Fx was 0.8. Those were
the heady days....