How to permanently delete root CAs from mozilla products?
David
dgboles at gmail.com
Sun Sep 18 09:56:51 UTC 2011
On 9/17/2011 11:37 PM, Craig White wrote:
> On Sat, 2011-09-17 at 20:29 -0400, David wrote:
>> On 9/17/2011 8:06 PM, Craig White wrote:
>>> On Sat, 2011-09-17 at 18:58 -0400, David wrote:
>>>> On 9/17/2011 6:21 PM, Craig White wrote:
>>>>> On Sat, 2011-09-17 at 16:05 -0400, David wrote:
>>>>>> On 9/17/2011 3:59 PM, Fernando Cassia wrote:
>>>>>>> On Sat, Sep 17, 2011 at 16:46, David <dgboles at gmail.com>
>>>>>>> wrote:
>>>>>>>> Sure there is. They come with the Firefox and
>>>>>>>> Thunderbird updates. They are named security updates.
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> David
>>>>>>>
>>>>>>> I mean if you accidentally delete good certificates ie
>>>>>>> AOL, Comodo, RSA, there is no way to easily reset
>>>>>>> certificates to the default state other than deinstalling
>>>>>>> and reinstalling the whole browser.
>>>>>>>
>>>>>>> Of course you can wait for future security updates that
>>>>>>> includes updates to the certs, but what if none comes in
>>>>>>> the next update?.
>>>>>>
>>>>>>
>>>>>> Refresh the rpm is the easiest way that I can think of to
>>>>>> do that without uninstalling and them reinstalling.
>>>>>>
>>>>>> And, as I recall, if you go to a site for which you do not
>>>>>> not have a certificate you are offered to accept it and add
>>>>>> it. Not a disaster but a slight inconvenience for the
>>>>>> careless user.
>>>>> ---- I don't think refreshing the rpm or even un/re
>>>>> installing will 'reset' certificates but I haven't tested
>>>>> myself.
>>>>>
>>>>> And what we are talking about is root certificates which
>>>>> actually comprise the highest level of a certificate chain.
>>>>> If you delete (or mark as not trusted) a root certificate and
>>>>> you go to a web site that is signed by the root certificate
>>>>> that you have indicated should not be trusted, it will come
>>>>> up as untrusted and you are given some rather dire warnings -
>>>>> the same as if you were presented a certificate that is
>>>>> 'self-signed'. I would recommend that even if you 'accept'
>>>>> (get certificate, trust, possibly permanently store) that you
>>>>> don't do any actual commerce with that site. Actually do not
>>>>> choose to store it permanently because the next time you go
>>>>> to the site, you will likely have forgotten that there is no
>>>>> chain of trust.
>>>>
>>>> I *really* have no idea what, just what, Fedora did here with
>>>> this. But I do know that the Generic Linux, and the Mac, and
>>>> the Windows updates fixed this. Are you saying that Fedora
>>>> f*cked this up?
>>>>
>>>> Then I would think that your problem would be with Fedora. And
>>>> the gnomes that live under your bed.
>>> ---- Now that you mention it... I just updated my F14 - which
>>> included an update for Firefox.
>>>
>>> I launch FF and see the DigiNotar certificate there dated 2007
>>> and it is trusted. That concerns me.
>>>
>>> So I 'delete' it and indeed, it completely disappears.
>>>
>>> I close/relaunch FF and view certificates and it is back, only
>>> this time, it is not trusted (good). It appears to be the same
>>> certificate (dates - I didn't note the serial numbers).
>>>
>>> I am fine with this.
>>>
>>> I am not sure that simply updating FF will work as expected
>>> (disabling DigiNotar's certificate) without manual intervention
>>> but I will check on another users profile later.
>>
>>
>> I assume that this 'update' is a Fedora RPM? And it does not
>> 'update'? Your disagreement seems, to me, to be with Fedora or the
>> Fedora packager? The 'Generic' Mozilla Linux package, which is what
>> I use, updates as expected.
>>
>>
>>> As for Macintosh, Windows, 'generic Linux' (whatever that means
>>> to you it means nothing to me), I don't know but I can verify
>>> the Windows/Macintosh FF behavior when I get time. Did you
>>> actually track the exact state of the DigiNotar certificate
>>> before/after updating?
>>
>>
>> Did I "actually track the exact state of the DigiNotar
>> certificate"? No. Not really. I just updated as needed and did not
>> sit on my thumb while the rest of the world solved this problem.
> ---- does seem that there is a problem w/ Fedora & FF
>
> I just checked on my Ubuntu 10.04 server. Both a new profile & my
> existing profile have 4 certificates from DigiNotar and all are
> untrusted.
>
> Will search bugzilla soon because the DigiNotar certificate in
> Fedora wasn't automatically 'untrusted' after the last round of
> updates like it should have been.
I do not have a "DigiNotar" certificate at all. But then I am not using
Fedora 14 or Ubuntu 10.04 either. So it still sounds, to me, that your
complaint is with
the Firefox version in Fedora 14. The latest one that I can see is FF
3.6.20.
The current recommended stable version is 6.0.2 with 7.0 scheduled for
release Sept 27, 2011. Firefox 3.6.22 (the 3.6.x series is soon to be
EOL) was released Sept 6, 2011. However there is a 3.6.23 scheduled for
Sept 27 also.
--
David
More information about the users
mailing list