On 09/07/2011 08:02 PM, Jan de Groot wrote:
On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
I did a brief test with curl and webkit browsers such as rekonq. They accept the certificates from the site mentioned above unless I disable "Staat der Nederlanden CA". Afaik Firefox does an explicit check if there is a diginotar cert within the chain; other browsers and clients most likely don't. So I still think its the easiest for most people to disable those certs as well.
I tried epiphany, that browser doesn't even give a warning when a cert is invalid. One week ago the cert for GNOME bugzilla was expired, Firefox couldn't add an exception, making it unable to visit bugs.gnome.org, but epiphany just shows the website without any warning. When I check a DigiNotar signed website, Epiphany shows a broken lock in the address bar, so though it's SSL, it says the security is broken.
epiphany is kinda broken. it does say for all websites that the security is broken. I wonder if we are missing something... https://bugzilla.gnome.org/show_bug.cgi?id=611496
But yes, I am not absolutely sure as the information you can found in the media atm is not that accurate. E.g. heise states that Microsoft will remove the Nederlands root cert completely.
Heise is wrong IMHO. When the DigiNotar hack was made public, all browser companies issued updates. Both Microsoft and Mozilla added checks to their browsers to see if a cert originates from "Staat der Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT uncovered a report about the security at DigiNotar and that not any cert ever issued by this company should be trusted, Mozilla and Microsoft decided to remove that exception and just disable all DigiNotar certificates. I pulled in this update through Windows Update this morning, I had to reboot for it (Windows XP). On Windows XP you don't have to reboot for a base certificate update, so this is an update that touches code instead of some certificate store.
-- IonuČ›