在Firefox中添加证书例外会告诉它信任证书，地址或两者的结合吗？ [英] Does adding a certificate exception in Firefox tell it to trust a certificate, an address, or a combination of both?

问题描述

在Firefox中添加证书例外会告诉它信任证书，地址或两者的结合吗？参见以下假设：

首先，我假设访问 https：// foo。 com ，它使用自签名证书。
我的浏览器提醒我该证书是自签名的，但是我选择添加一个例外（在firefox 40的高级>证书>查看证书>服务器下的设置中）。

现在让我们说我去 https://bar.com ，并且出示完全相同的证书。 firefox是否会因为使用受信任的证书而信任此站点，还是会因为此地址不信任该证书而警告我？

现在让我们说我再次访问 https://foo.com ，并且它们已经生成并开始使用新证书（CA为相同，但我尚未将CA添加为受信任的根）。由于证书不受信任，firefox会向我显示警告吗？还是因为该站点是受信任的地址而信任该站点？

还是这个角度？

谢谢

解决方案

如果添加例外，则仅该站点才完全信任该证书，即，该证书对（主机名，证书）而不是仅证书是例外。 / p>

也就是说，您不能为example.com创建证书，不能使用户信任该证书（例如，无害的网站，请设置例外），然后再对同一个人使用同一证书-只是因为您已将paypal.com作为替代主题添加到自签名证书中，所以对paypal.com进行了中间攻击。 曾经有一个曾经是一个可以使这种攻击成为可能的错误，但它已得到长期修复。 p>

Does adding a certificate exception in Firefox tell it to trust a certificate, an address, or a combination of both? See the following hypothetical:

First, I hypothetically visit https://foo.com, which uses a self-signed certificate. My browser alerts me that the certificate is self-signed, but I choose to add an exception (in firefox 40's settings under Advanced > Certificates > View Certificates > Servers).

Now let's say I go to https://bar.com, and it presents the exact same certificate. Will firefox trust this site, because it uses a trusted certificate, or will it warn me because the certificate is not trusted at this address?

Now let's say I re-visit https://foo.com in a couple weeks, and they have since generated and started using a new certificate (The CA is the same, but I have not added the CA as a trusted root). Will firefox show me a warning, because the certificate is not trusted? Or will it trust the site, because it is a trusted address?

Or is there another angle to this?

thanks

解决方案

If you add an exception the certificate is trusted exactly for this site only, i.e. it makes an exception for the pair (hostname,certificate) and not for the certificate only.

That is you cannot create a certificate for example.com, make the user trust this (i.e. harmless site, make an exception) and later use the same certificate for a man-in-the-middle attack against paypal.com just because you've added paypal.com as an alternative subject into your self-signed certificate. There was once a bug which made such attacks possible, but it is long fixed.

这篇关于在Firefox中添加证书例外会告诉它信任证书，地址或两者的结合吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！