问题
Does adding a certificate exception in Firefox tell it to trust a certificate, an address, or a combination of both? See the following hypothetical:
First, I hypothetically visit https://foo.com, which uses a self-signed certificate. My browser alerts me that the certificate is self-signed, but I choose to add an exception (in firefox 40's settings under Advanced > Certificates > View Certificates > Servers).
Now let's say I go to https://bar.com, and it presents the exact same certificate. Will firefox trust this site, because it uses a trusted certificate, or will it warn me because the certificate is not trusted at this address?
Now let's say I re-visit https://foo.com in a couple weeks, and they have since generated and started using a new certificate (The CA is the same, but I have not added the CA as a trusted root). Will firefox show me a warning, because the certificate is not trusted? Or will it trust the site, because it is a trusted address?
Or is there another angle to this?
thanks
回答1:
If you add an exception the certificate is trusted exactly for this site only, i.e. it makes an exception for the pair (hostname,certificate) and not for the certificate only.
That is you cannot create a certificate for example.com, make the user trust this (i.e. harmless site, make an exception) and later use the same certificate for a man-in-the-middle attack against paypal.com just because you've added paypal.com as an alternative subject into your self-signed certificate. There was once a bug which made such attacks possible, but it is long fixed.
来源:https://stackoverflow.com/questions/32364115/does-adding-a-certificate-exception-in-firefox-tell-it-to-trust-a-certificate-a