Bugs :
K-Meleon Web Browser Forum
OK. The definition of "paranoia" is "eternal vigilance". Now you understand why I'm posting.
Given that at least two CAs have been penetrated (yes, yes, I know the Comodo hack was "only" a reseller...), and the opinion of many is that the Certificate system is at least badly bent:
How do we remove suspect root certificates? Specifically, I can't delete any "Builtin Object Tokens". OTOH, "Software Security Devices" appear to be not a problem.
I'm not entirely happy about removing CAs, but... Meanwhile, the fallout from the hack continues. DigiNotar has, in effect, lost its status as a trusted root certificate authority. Its certificates have been blacklisted by Microsoft, Google, Mozilla, and Apple.
So, how do we do it?
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
Tools > Privacy > View Data > View Certificates
Tab "Authorities". Select: DigiNotar Root CA.
Next choose either:
"Edit" and remove via editor the rights of this authority to sign anything.
Or:
"Delete" which asks You to confirm and also deletes the rights of the authority to sign anything.
http://kmeleonbrowser.org/forum/read.php?2,118473,118976#msg-118976
Edited 2 time(s). Last edit at 09/22/2011 06:41AM by guenter.
Hi guenter -
Thanks for that. After looking more closely I suspected that's all we can do.
The full list is here.
We should also disable Comodo CA, and enquire closely from Mozilla about its certificate.
This is beginning to look like "Nightmare on Elm St"
At the moment I must go with Tor and assume "no browser is secure", simply because
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
1.) AFAIK You do not need a list what DigiNotar certificates to disable.
2.) Comodo CA is a different matter & apparently handled the "Comodogate" incident more responsible.
Referring to the compromised Comodo CA certificates Wikipedia says.
More detailed info is at https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Edited 1 time(s). Last edit at 09/22/2011 05:04PM by guenter.
I'm curious what would happen if I deleted ALL certificates? I'm not a trusting type of person and I would do it happily if it doesn't destroy the browser. I'm not terribly familiar with what "certificates" are but my guess it is something to do with wretched online shopping. I never will do that.
--
P2 400 MHz, 128 MB, Win 98 SE
Aaahhh... Bad idea.
Certificates are encrypted tokens of honesty and trust.
Yes, they are used for online shopping, but they are also used for many other things -- like "secure" websites that help stop nosy little beaurocrats/secret police/Homeland Defence from tracking what you look at, for example the secure version (https://) of Wikipedia. They are also used to validate software sites, especially for hotfixes and updates -- Microsoft and Mozilla both use this method.
The advantage of using certificates is that the process is completely "transparent" in the true sense of the word: you don't have to wrestle with complicated procedures, it's all done for you.
The system ain't perfect. Bt at the moment, it's the best we've got, and both sides of the system have a vested interest in keeping it good: the browser publishers (Gecko, Presto, Trident, Chome) who represent you the user on the one hand, and your clients on the other (banks, software publishers, Wikipedia etc).
By all means disable/delete DigiNotar, but that's as far as you need go. Needlessly tampering with certificates could mean you can't use various sites which you have never thought of as being "online shopping".
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
Except when you get those mysterious messages about invalid certs!
I always refuse to accept them and they only pop up occasionally.
--
P2 400 MHz, 128 MB, Win 98 SE
Yes. Invalid certificates means KM doesn't recognise the certificate. Sometimes it is because the certificate has been delisted, sometimes it is not in the KM certificate store.
KM does have a method of installing new certificates, just do a search of this forum. Most of the time there is no harm in installing a new certificate -- as mentioned earlier, really only DigiNotar and perhaps the CNNIC from the PRC need to be treated with suspicion. However, both of those are not in common use.
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
You can talk about issues with k-meleon here.
Pure Paranoia
Posted by:
gordon451
Date: September 22, 2011 03:49AM
OK. The definition of "paranoia" is "eternal vigilance". Now you understand why I'm posting.
Given that at least two CAs have been penetrated (yes, yes, I know the Comodo hack was "only" a reseller...), and the opinion of many is that the Certificate system is at least badly bent:
How do we remove suspect root certificates? Specifically, I can't delete any "Builtin Object Tokens". OTOH, "Software Security Devices" appear to be not a problem.
I'm not entirely happy about removing CAs, but... Meanwhile, the fallout from the hack continues. DigiNotar has, in effect, lost its status as a trusted root certificate authority. Its certificates have been blacklisted by Microsoft, Google, Mozilla, and Apple.
So, how do we do it?
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
Re: Pure Paranoia
Posted by:
guenter
Date: September 22, 2011 04:42AM
Tools > Privacy > View Data > View Certificates
Tab "Authorities". Select: DigiNotar Root CA.
Next choose either:
"Edit" and remove via editor the rights of this authority to sign anything.
Or:
"Delete" which asks You to confirm and also deletes the rights of the authority to sign anything.
http://kmeleonbrowser.org/forum/read.php?2,118473,118976#msg-118976
Edited 2 time(s). Last edit at 09/22/2011 06:41AM by guenter.
Re: Pure Paranoia
Posted by:
gordon451
Date: September 22, 2011 07:55AM
Hi guenter -
Thanks for that. After looking more closely I suspected that's all we can do.
Quote
deadlock
You can provide a patch for users
or build a GRE without those 200 certs
The full list is here.
We should also disable Comodo CA, and enquire closely from Mozilla about its certificate.
This is beginning to look like "Nightmare on Elm St"
At the moment I must go with Tor and assume "no browser is secure", simply because
Quote
The Certificate Authority system as it stands today is a house of cards and we're witnessing in public what many have known for years in private. The entire system is soaked in petrol and waiting for a light.
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
Re: Pure Paranoia
Posted by:
guenter
Date: September 22, 2011 05:00PM
Quote
gordon451
Quote
deadlock
You can provide a patch for users
or build a GRE without those 200 certs
The full list is here.
We should also disable Comodo CA, and enquire closely from Mozilla about its certificate.
1.) AFAIK You do not need a list what DigiNotar certificates to disable.
Quote
Wikipedia sub voce DigiNotar
DigiNotar was a Dutch certificate authority owned by VASCO Data Security International.[1] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[2]
That same month, the company was declared bankrupt.[3]...
The "DigiNotar Root CA" root was included in the trusted root lists of common internet client software but has now been removed;
the "Staat der Nederlanden" roots were and still are, because they were not compromised and other parts of that hierarchy continue to operate normally.
2.) Comodo CA is a different matter & apparently handled the "Comodogate" incident more responsible.
Referring to the compromised Comodo CA certificates Wikipedia says.
Quote
Wikipedia sub voce Comodo Group
All of the certificates have been revoked.
More detailed info is at https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Quote
Comodo Group
The 9 affected certificates have been revoked.
Edited 1 time(s). Last edit at 09/22/2011 05:04PM by guenter.
Re: Pure Paranoia
Posted by:
MXB
Date: October 26, 2011 08:26PM
I'm curious what would happen if I deleted ALL certificates? I'm not a trusting type of person and I would do it happily if it doesn't destroy the browser. I'm not terribly familiar with what "certificates" are but my guess it is something to do with wretched online shopping. I never will do that.
--
P2 400 MHz, 128 MB, Win 98 SE
Re: Pure Paranoia
Posted by:
gordon451
Date: October 27, 2011 12:10PM
Aaahhh... Bad idea.
Certificates are encrypted tokens of honesty and trust.
Yes, they are used for online shopping, but they are also used for many other things -- like "secure" websites that help stop nosy little beaurocrats/secret police/Homeland Defence from tracking what you look at, for example the secure version (https://) of Wikipedia. They are also used to validate software sites, especially for hotfixes and updates -- Microsoft and Mozilla both use this method.
The advantage of using certificates is that the process is completely "transparent" in the true sense of the word: you don't have to wrestle with complicated procedures, it's all done for you.
The system ain't perfect. Bt at the moment, it's the best we've got, and both sides of the system have a vested interest in keeping it good: the browser publishers (Gecko, Presto, Trident, Chome) who represent you the user on the one hand, and your clients on the other (banks, software publishers, Wikipedia etc).
By all means disable/delete DigiNotar, but that's as far as you need go. Needlessly tampering with certificates could mean you can't use various sites which you have never thought of as being "online shopping".
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
Re: Pure Paranoia
Posted by:
MXB
Date: October 28, 2011 01:27AM
Quote
gordon451
The advantage of using certificates is that the process is completely "transparent" in the true sense of the word: you don't have to wrestle with complicated procedures, it's all done for you.
Gordon.
Except when you get those mysterious messages about invalid certs!
I always refuse to accept them and they only pop up occasionally.--
P2 400 MHz, 128 MB, Win 98 SE
Re: Pure Paranoia
Posted by:
gordon451
Date: October 28, 2011 09:48AM
Quote
MXB
Except when you get those mysterious messages about invalid certs!
Yes. Invalid certificates means KM doesn't recognise the certificate. Sometimes it is because the certificate has been delisted, sometimes it is not in the KM certificate store.
KM does have a method of installing new certificates, just do a search of this forum. Most of the time there is no harm in installing a new certificate -- as mentioned earlier, really only DigiNotar and perhaps the CNNIC from the PRC need to be treated with suspicion. However, both of those are not in common use.
Gordon.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]
English