How to permanently delete root CAs from mozilla products?

Craig White craigwhite at azapple.com
Sun Sep 18 00:06:33 UTC 2011 

On Sat, 2011-09-17 at 18:58 -0400, David wrote:
> On 9/17/2011 6:21 PM, Craig White wrote:
> > On Sat, 2011-09-17 at 16:05 -0400, David wrote:
> >> On 9/17/2011 3:59 PM, Fernando Cassia wrote:
> >>> On Sat, Sep 17, 2011 at 16:46, David <dgboles at gmail.com> wrote:
> >>>> Sure there is. They come with the Firefox and Thunderbird updates. They
> >>>> are named security updates.
> >>>>
> >>>> --
> >>>>
> >>>>  David
> >>>
> >>> I mean if you accidentally delete good certificates ie AOL, Comodo,
> >>> RSA, there is no way to easily reset certificates to the default state
> >>> other than deinstalling and reinstalling the whole browser.
> >>>
> >>> Of course you can wait for future security updates that includes
> >>> updates to the certs, but what if none comes in the next update?.
> >>
> >>
> >> Refresh the rpm is the easiest way that I can think of to do that
> >> without uninstalling and them reinstalling.
> >>
> >> And, as I recall, if you go to a site for which you do not not have a
> >> certificate you are offered to accept it and add it. Not a disaster but
> >> a slight inconvenience for the careless user.
> > ----
> > I don't think refreshing the rpm or even un/re installing will 'reset'
> > certificates but I haven't tested myself.
> > 
> > And what we are talking about is root certificates which actually
> > comprise the highest level of a certificate chain. If you delete (or
> > mark as not trusted) a root certificate and you go to a web site that is
> > signed by the root certificate that you have indicated should not be
> > trusted, it will come up as untrusted and you are given some rather dire
> > warnings - the same as if you were presented a certificate that is
> > 'self-signed'. I would recommend that even if you 'accept' (get
> > certificate, trust, possibly permanently store) that you don't do any
> > actual commerce with that site. Actually do not choose to store it
> > permanently because the next time you go to the site, you will likely
> > have forgotten that there is no chain of trust.
> 
> I *really* have no idea what, just what, Fedora did here with this. But
> I do know that the Generic Linux, and the Mac, and the Windows updates
> fixed this. Are you saying that Fedora f*cked this up?
> 
>  Then I would think that your problem would be with Fedora. And the
> gnomes that live under your bed.
----
Now that you mention it... I just updated my F14 - which included an
update for Firefox.

I launch FF and see the DigiNotar certificate there dated 2007 and it is
trusted. That concerns me.

So I 'delete' it and indeed, it completely disappears.

I close/relaunch FF and view certificates and it is back, only this
time, it is not trusted (good). It appears to be the same certificate
(dates - I didn't note the serial numbers).

I am fine with this.

I am not sure that simply updating FF will work as expected (disabling
DigiNotar's certificate) without manual intervention but I will check on
another users profile later.

As for Macintosh, Windows, 'generic Linux' (whatever that means to you
it means nothing to me), I don't know but I can verify the
Windows/Macintosh FF behavior when I get time. Did you actually track
the exact state of the DigiNotar certificate before/after updating?

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list