How to permanently delete root CAs from mozilla products?

Craig White craigwhite at azapple.com
Sun Sep 18 03:37:54 UTC 2011 

On Sat, 2011-09-17 at 20:29 -0400, David wrote:
> On 9/17/2011 8:06 PM, Craig White wrote:
> > On Sat, 2011-09-17 at 18:58 -0400, David wrote:
> >> On 9/17/2011 6:21 PM, Craig White wrote:
> >>> On Sat, 2011-09-17 at 16:05 -0400, David wrote:
> >>>> On 9/17/2011 3:59 PM, Fernando Cassia wrote:
> >>>>> On Sat, Sep 17, 2011 at 16:46, David <dgboles at gmail.com> wrote:
> >>>>>> Sure there is. They come with the Firefox and Thunderbird updates. They
> >>>>>> are named security updates.
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>>  David
> >>>>>
> >>>>> I mean if you accidentally delete good certificates ie AOL, Comodo,
> >>>>> RSA, there is no way to easily reset certificates to the default state
> >>>>> other than deinstalling and reinstalling the whole browser.
> >>>>>
> >>>>> Of course you can wait for future security updates that includes
> >>>>> updates to the certs, but what if none comes in the next update?.
> >>>>
> >>>>
> >>>> Refresh the rpm is the easiest way that I can think of to do that
> >>>> without uninstalling and them reinstalling.
> >>>>
> >>>> And, as I recall, if you go to a site for which you do not not have a
> >>>> certificate you are offered to accept it and add it. Not a disaster but
> >>>> a slight inconvenience for the careless user.
> >>> ----
> >>> I don't think refreshing the rpm or even un/re installing will 'reset'
> >>> certificates but I haven't tested myself.
> >>>
> >>> And what we are talking about is root certificates which actually
> >>> comprise the highest level of a certificate chain. If you delete (or
> >>> mark as not trusted) a root certificate and you go to a web site that is
> >>> signed by the root certificate that you have indicated should not be
> >>> trusted, it will come up as untrusted and you are given some rather dire
> >>> warnings - the same as if you were presented a certificate that is
> >>> 'self-signed'. I would recommend that even if you 'accept' (get
> >>> certificate, trust, possibly permanently store) that you don't do any
> >>> actual commerce with that site. Actually do not choose to store it
> >>> permanently because the next time you go to the site, you will likely
> >>> have forgotten that there is no chain of trust.
> >>
> >> I *really* have no idea what, just what, Fedora did here with this. But
> >> I do know that the Generic Linux, and the Mac, and the Windows updates
> >> fixed this. Are you saying that Fedora f*cked this up?
> >>
> >>  Then I would think that your problem would be with Fedora. And the
> >> gnomes that live under your bed.
> > ----
> > Now that you mention it... I just updated my F14 - which included an
> > update for Firefox.
> > 
> > I launch FF and see the DigiNotar certificate there dated 2007 and it is
> > trusted. That concerns me.
> > 
> > So I 'delete' it and indeed, it completely disappears.
> > 
> > I close/relaunch FF and view certificates and it is back, only this
> > time, it is not trusted (good). It appears to be the same certificate
> > (dates - I didn't note the serial numbers).
> > 
> > I am fine with this.
> > 
> > I am not sure that simply updating FF will work as expected (disabling
> > DigiNotar's certificate) without manual intervention but I will check on
> > another users profile later.
> 
> 
> I assume that this 'update' is a Fedora RPM? And it does not 'update'?
> Your disagreement seems, to me, to be with Fedora or the Fedora
> packager? The 'Generic' Mozilla Linux package, which is what I use,
> updates as expected.
> 
> 
> > As for Macintosh, Windows, 'generic Linux' (whatever that means to you
> > it means nothing to me), I don't know but I can verify the
> > Windows/Macintosh FF behavior when I get time. Did you actually track
> > the exact state of the DigiNotar certificate before/after updating?
> 
> 
> Did I "actually track  the exact state of the DigiNotar certificate"?
> No. Not really. I just updated as needed and did not sit on my thumb
> while the rest of the world solved this problem.
----
does seem that there is a problem w/ Fedora & FF

I just checked on my Ubuntu 10.04 server. Both a new profile & my
existing profile have 4 certificates from DigiNotar and all are
untrusted.

Will search bugzilla soon because the DigiNotar certificate in Fedora
wasn't automatically 'untrusted' after the last round of updates like it
should have been.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list