OK. The definition of "paranoia" is "eternal vigilance". Now you understand why I'm posting.

Given that at least two CAs have been penetrated (yes, yes, I know the Comodo hack was "only" a reseller...), and the opinion of many is that the Certificate system is at least badly bent:

How do we remove suspect root certificates? Specifically, I can't delete any "Builtin Object Tokens". OTOH, "Software Security Devices" appear to be not a problem.

I'm not entirely happy about removing CAs, but... Meanwhile, the fallout from the hack continues. DigiNotar has, in effect, lost its status as a trusted root certificate authority. Its certificates have been blacklisted by Microsoft, Google, Mozilla, and Apple.

So, how do we do it?

Gordon.

____________________
W7HPx64, K-Meleon 1.6.0b2 & b2.5, Opera 12.01, IE9x32, IE9x64
____________________
Sugar, greasy foods and Microsoft are dangerous to your health -- eat, drink and be merry!
____________________
Early to bed and early to rise makes a bloke crook, broke and stupid.

Tools > Privacy > View Data > View Certificates

Tab "Authorities". Select: DigiNotar Root CA.

Next choose either:

"Edit" and remove via editor the rights of this authority to sign anything.

Or:

"Delete" which asks You to confirm and also deletes the rights of the authority to sign anything.

http://kmeleon.sourceforge.net/forum/read.php?2,118473,118976#msg-118976



Edited 2 time(s). Last edit at 09/22/2011 01:41PM by guenter.

Hi guenter -

Thanks for that. After looking more closely I suspected that's all we can do.

Quote
deadlock
You can provide a patch for users
or build a GRE without those 200 certs

The full list is here.

We should also disable Comodo CA, and enquire closely from Mozilla about its certificate.

This is beginning to look like "Nightmare on Elm St" At the moment I must go with Tor and assume "no browser is secure", simply because

Quote

The Certificate Authority system as it stands today is a house of cards and we're witnessing in public what many have known for years in private. The entire system is soaked in petrol and waiting for a light.

Gordon.

____________________
W7HPx64, K-Meleon 1.6.0b2 & b2.5, Opera 12.01, IE9x32, IE9x64
____________________
Sugar, greasy foods and Microsoft are dangerous to your health -- eat, drink and be merry!
____________________
Early to bed and early to rise makes a bloke crook, broke and stupid.

Quote
gordon451

Quote
deadlock
You can provide a patch for users
or build a GRE without those 200 certs

The full list is here.

We should also disable Comodo CA, and enquire closely from Mozilla about its certificate.

1.) AFAIK You do not need a list what DigiNotar certificates to disable.

Quote
Wikipedia sub voce DigiNotar
DigiNotar was a Dutch certificate authority owned by VASCO Data Security International.[1] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[2]

That same month, the company was declared bankrupt.[3]...


The "DigiNotar Root CA" root was included in the trusted root lists of common internet client software but has now been removed;

the "Staat der Nederlanden" roots were and still are, because they were not compromised and other parts of that hierarchy continue to operate normally.

2.) Comodo CA is a different matter & apparently handled the "Comodogate" incident more responsible.

Referring to the compromised Comodo CA certificates Wikipedia says.

Quote
Wikipedia sub voce Comodo Group
All of the certificates have been revoked.

More detailed info is at https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Quote
Comodo Group
The 9 affected certificates have been revoked.

Edited 1 time(s). Last edit at 09/23/2011 12:04AM by guenter.

I'm curious what would happen if I deleted ALL certificates? I'm not a trusting type of person and I would do it happily if it doesn't destroy the browser. I'm not terribly familiar with what "certificates" are but my guess it is something to do with wretched online shopping. I never will do that.

--
P2 400 MHz, 128 MB, Win 98 SE

Aaahhh... Bad idea.

Certificates are encrypted tokens of honesty and trust.

Yes, they are used for online shopping, but they are also used for many other things -- like "secure" websites that help stop nosy little beaurocrats/secret police/Homeland Defence from tracking what you look at, for example the secure version (https://) of Wikipedia. They are also used to validate software sites, especially for hotfixes and updates -- Microsoft and Mozilla both use this method.

The advantage of using certificates is that the process is completely "transparent" in the true sense of the word: you don't have to wrestle with complicated procedures, it's all done for you.

The system ain't perfect. Bt at the moment, it's the best we've got, and both sides of the system have a vested interest in keeping it good: the browser publishers (Gecko, Presto, Trident, Chome) who represent you the user on the one hand, and your clients on the other (banks, software publishers, Wikipedia etc).

By all means disable/delete DigiNotar, but that's as far as you need go. Needlessly tampering with certificates could mean you can't use various sites which you have never thought of as being "online shopping".

Gordon.

____________________
W7HPx64, K-Meleon 1.6.0b2 & b2.5, Opera 12.01, IE9x32, IE9x64
____________________
Sugar, greasy foods and Microsoft are dangerous to your health -- eat, drink and be merry!
____________________
Early to bed and early to rise makes a bloke crook, broke and stupid.

Quote
gordon451
The advantage of using certificates is that the process is completely "transparent" in the true sense of the word: you don't have to wrestle with complicated procedures, it's all done for you.
Gordon.

Except when you get those mysterious messages about invalid certs! I always refuse to accept them and they only pop up occasionally.

--
P2 400 MHz, 128 MB, Win 98 SE

Quote
MXB
Except when you get those mysterious messages about invalid certs!

Yes. Invalid certificates means KM doesn't recognise the certificate. Sometimes it is because the certificate has been delisted, sometimes it is not in the KM certificate store.

KM does have a method of installing new certificates, just do a search of this forum. Most of the time there is no harm in installing a new certificate -- as mentioned earlier, really only DigiNotar and perhaps the CNNIC from the PRC need to be treated with suspicion. However, both of those are not in common use.

Gordon.

____________________
W7HPx64, K-Meleon 1.6.0b2 & b2.5, Opera 12.01, IE9x32, IE9x64
____________________
Sugar, greasy foods and Microsoft are dangerous to your health -- eat, drink and be merry!
____________________
Early to bed and early to rise makes a bloke crook, broke and stupid.