On Tue, 30 Aug 2011 22:24:33 +0200, Pierre Schmitz wrote:
Hi all,
there was another incident with a CA. See http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificat... for more details. If you like to distrust this issuer you'll find a howto for Firefox at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
For other apps that use our ca-certificates package (by Debian) You can easily disable the root cert by issuing the following commands as root:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely. To do so run: sed -E 's#^(mozilla/Staat_der_Nederlanden_Root_CA.*)$#!\1#g' \ -i /etc/ca-certificates.conf update-ca-certificates Here are some links including more details. For now it seems Debian wont remove these root certs. Unfortunately this would mean that every client needs to be updated; which is also unlikely to happen. A brief look at what Mozilla does*) should show that this system is pretty much broken. http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ https://bugzilla.mozilla.org/show_bug.cgi?id=683449 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640567 *) http://hg.mozilla.org/releases/mozilla-release/file/e65f4c8bd243/security/ma... Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre