On Tue, 2011-08-30 at 22:24 +0200, Pierre Schmitz wrote:
Hi all,
there was another incident with a CA. See http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificat... for more details. If you like to distrust this issuer you'll find a howto for Firefox at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
For other apps that use our ca-certificates package (by Debian) You can easily disable the root cert by issuing the following commands as root:
sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i /etc/ca-certificates.conf update-ca-certificates
This information is just for those who are curious. There is most likely no need to panic for those people; especially if you don't live in Iran. And if you do its probably too late as the issuer was compromised two month ago. And I thought the Comodo incident was already pure night mare...
The whole CA structure we base our SSL security on is a mess imho. Blindly shipping a bunch of certificates to our users does not seem to be the best idea any more. Unfortunately there is no real alternative atm.
The whole SSL system is based on trust. We have to trust the CA roots, and those CA roots have to trust their clients. That way, we trust the clients they trust. So far, not much is wrong with that system, but when it turns out the CA root can't be trusted, that CA root should get kicked out. You can't tell the difference between a valid certificate issued by the CA root, or an invalid certificate issued by a hacker using his key. I already removed DigiNotar from nss. Ionut updated Firefox to 6.0.1, which distrusts all certificates that are issued by DigiNotar, with the exception of those that originate from the PKIOverheid CA. We should remove DigiNotar from our ca-certificates package. A CA that doesn't care about security, doesn't inform us about hacks and doesn't even know what systems were affected should not be trusted. Looking at debian, they already blacklisted DigiNotar: http://packages.qa.debian.org/c/ca-certificates/news/20110831T024756Z.html We should do the same.