How to permanently delete root CAs from mozilla products?

[Craig White]

On Sat, 2011-09-17 at 16:05 -0400, David wrote:
> On 9/17/2011 3:59 PM, Fernando Cassia wrote:
> > On Sat, Sep 17, 2011 at 16:46, David <dgboles at gmail.com> wrote:
> >> Sure there is. They come with the Firefox and Thunderbird updates. They
> >> are named security updates.
> >>
> >> --
> >>
> >>  David
> > 
> > I mean if you accidentally delete good certificates ie AOL, Comodo,
> > RSA, there is no way to easily reset certificates to the default state
> > other than deinstalling and reinstalling the whole browser.
> > 
> > Of course you can wait for future security updates that includes
> > updates to the certs, but what if none comes in the next update?.
> 
> 
> Refresh the rpm is the easiest way that I can think of to do that
> without uninstalling and them reinstalling.
> 
> And, as I recall, if you go to a site for which you do not not have a
> certificate you are offered to accept it and add it. Not a disaster but
> a slight inconvenience for the careless user.
----
I don't think refreshing the rpm or even un/re installing will 'reset'
certificates but I haven't tested myself.

And what we are talking about is root certificates which actually
comprise the highest level of a certificate chain. If you delete (or
mark as not trusted) a root certificate and you go to a web site that is
signed by the root certificate that you have indicated should not be
trusted, it will come up as untrusted and you are given some rather dire
warnings - the same as if you were presented a certificate that is
'self-signed'. I would recommend that even if you 'accept' (get
certificate, trust, possibly permanently store) that you don't do any
actual commerce with that site. Actually do not choose to store it
permanently because the next time you go to the site, you will likely
have forgotten that there is no chain of trust.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.