Update on the problem of broken SSL sites working sometimes but not other times.
One of the issues discussed in this thread is about sites that validate only if you have already visited another site that has the rest of the cert chain. Biglumber and GoDaddy. Firefox 2 remembers chains until the the browser is closed.
I thought
Bug 399045 was filed to make it so visiting GoDaddy first will not validate the cert. As it turns out, the bug was fixed to make it so Firefox remembers chains even
after the browser is closed. So now visiting GoDaddy will validate the BigLumber broken cert anytime in the future. This matches more or less IE's behavior, and makes it less likely a site will work unpredictably. But there is still some gap between behavior in FF and IE. You still have to visit the "GoDaddy" of the cert once, and a webmaster would be unlikely to know this. IE might work because the user had gone to GoDaddy in IE, but not in Firefox (or was using a fresh profile in Firefox?). That would create a mysterious FF/IE difference, even with the new FF code.
But just to make it extra hard, IE uses an additional validation method for broken cert chains, one that none of the other browsers use, called AIA. See
Bug 399324 on that and a discussion on whether to support it.
Are the certs stored in the profile?
All this is about filling in broken chains. It was in memory, now it's in a database.
The lack of override on SSL warnings is another issue, new to Firefox 3. That will be the big argument methinks.