Bug 709165 (CVE-2011-0082)

A Debian bug report [1] indicated that Firefox 4.0.x handled the validation/revalidation of SSL certificates improperly.  If a user were to visit a site with an untrusted certificate, Firefox would correctly display the warning about the untrusted connection.  If a user were to confirm the security exception for a single session (not check off the "permanently store this exception"), then restart the browser and re-load the page, the contents of the page would be displayed from the Firefox cache.  Upon reloading the page, the security warning would appear, but incorrectly indicates that the site provides a valid, verified certificate and there is no way to confirm the exception.

This is not the case in Firefox 3.6.17 where when re-loading the browser and visiting the page, the untrusted connection warning comes up immediately, without showing the contents of the page, and allowing you to confirm the exception.

Steps to reproduce:

1) Visit a site with a self-signed certificate (such as https://kitenet.net/) and click "I Understand The Risks", click "Add Exception", uncheck "Permanently store this exception", click "Confirm Security Exception".  The site's contents will be displayed.

2) Exit the browser.

3) Start Firefox again and visit the page you visited in step 1.  The browser will show the contents of the page, even though its certificate should no longer be considered valid.

4) Refresh the page.  The untrusted connection warning will display again.  Click "I Understand The Risks", click "Add Exception".  Firefox will indicate that "This site provides valid, verified identification" and does not allow you to confirm the security exception.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552