The following was reported today to security@mozilla.org by Norman Hardy: Summary of steps to reproduce: 1. Open Certificate Manager 2. Select the first 4 certs listed (4 is an arbitrary number) 3. Click Delete or Distrust (I don't observe any dialog) 4. Select a single cert among the first 4 and click Edit Trust 5. Observe that trust bits are still set ----- This is a security related bug. An exploit would be quite elaborate and I have not crafted one. I think it would be much more elaborate than recent bogus cert exploits. It is probably easy to fix. Previously I had selected about the first half of the root CAs and clicked “Delete or Distrust” and then the same for about the 2nd half. A small random sampling convinced me that all check boxes in “Edit Trust…” windows had become unchecked. Now I launch Firefox 4.0. In the “Certificate Manager” window: I select the first display line, “(c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim güvenliği Hizmetleri A.Ş.”. With the shift key held down I click on “Chambers of Commerce Root” under heading “AC Camerfirma SA CIF A82743287”. This gives the accustomed image of those two lines and all 6 lines between as being selected. I click “Delete or Distrust…”. I unselect, and then select the single line “Global Chambersign Root” which was one of the 8 selected lines. I click “Edit Trust…” Each of the 3 check boxes are checked. This is repeatable. This is certainly contrary to normal expectations. I would be glad to do further work if that will help. I told Brian Warner, who works with Mozilla I believe, of my suspicions in this area.

Norman, the reporter, sent the following comments to security@m.o today: ----- Another non-critical infelicity that can lead to confusion: Firefox 4.0, Mac OS 10.6.7: Menu Bar > Firefox > Preferences > Advanced > Encryption > View Certificates > Authorities > Comodo > [turn down triangle] > AAA Certificate Services > Export > Save as ‘X.509 (DER)’. This action indeed places a binary file on my disk. In the same ‘Certificate Manager’ window I click ‘delete or distrust’ and the cert disappears from the list. I close ‘Certificate Manager’ window and go back to the ‘Advanced’ window which is still open and proceed with again with Encryption > View Certificates > Authorities > Comodo > whereupon ‘AAA Certificate Services’ is back. This is clearly confusing. ‘Edit Trust … ’ shows it to be distrusted, as I wanted. I am collecting Mac Cert foibles at http://localhost/Crypto/MacCert.html . No browser is unscathed. Thank you for Firefox!

(In reply to comment #1) > I am collecting Mac Cert foibles at http://localhost/Crypto/MacCert.html . Should have been: http://cap-lore.com/Crypto/MacCert.html

Bug 400093 I believe describes the root cause of this. The STRs are very similar, and both cases cause the same exception, so I'm marking this as a duplicate of 400093.