Researching the issues reported in this forum thread revealed that, Firefox ESR 140 (thus Tor browser 15, too) begins rejecting some SSL certificates accepted by previous versions of Firefox ESR (128) and current version of Chromium (143).
I think it’s probably that, from ESR 140 onwards Firefox has decided not to accept websites that only has their own leaf certificate installed, but not intermediate certificates. (good example, bad example ) Can anyone verify this (better if we can verify with upstream Firefox)? And since it seems to have caused confusions among some user, what should we do?
1 Like
IDK if this helps answer your question, but feel free to have a quick read - Enhancing CA Practices: Key Updates in Mozilla Root Store Policy, v3.0 - Mozilla Security Blog (March 2025 they were working on 138 nightly)
Thanks. But I don’t think that helps. The link provided documents Mozilla’s CA policy update, not about how Firefox would verify a poorly setup HTTPS server with broken certificate chain.
2 Likes
I wanted to document that there is seemingly no problem on firefox146 on my ubuntu based main linux distro when Firefox is installed via snap. Even when I install firefox on a live session (from that boot/install media) the page opens just fine. However the (almost) same version extracted from official tar.xz file on tails does not open that webpage (without manually accepting that certificate) Below is the version that does open that webpage on a ubuntu based distribution.
Add.
Tor browser 15.0.3 and Firefox ESR 140.5.0 (from Debian repository) running on Debian Trixie cannot access s3.teraboxcdn.com without throwing errors.
1 Like
Not sure if this Firefox Snap doesn't recognize root certificate - snap - snapcraft.io is related or not? Or the other way, they (accidentally) “fixed” it in the snap system? indeed the official up to date firefox-146.0.1.tar.xz on that same OS have problem with the certificate (while snap firefox just works, even on a fresh system)
The most important things to note from that thread on forum.snapcraft.io IMO are
It seems the snaps use the certs provided by the base snap.
And
So the problem is not confinement per se, but the fact that the core snap shadows these directories.
If these are unrelated or completely different thing, sorry, I have never done a website development before. I also understand that this is probably a waste of time as investigating the snap package can’t likely fix a non snap version of Firefox (unless someone figures out how that firefox snap handles certs differently and can implement the same on upstream version).