[arch-dev-public] How to disable the DigiNotar root cert on Arch
Pierre Schmitz
pierre at archlinux.de
Wed Sep 7 05:55:13 EDT 2011
On Tue, 30 Aug 2011 22:24:33 +0200, Pierre Schmitz wrote:
> Hi all,
>
> there was another incident with a CA. See
> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
> for more details. If you like to distrust this issuer you'll find a
> howto for Firefox at
> http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
>
> For other apps that use our ca-certificates package (by Debian) You can
> easily disable the root cert by issuing the following commands as root:
As a follow up I'd recommend to also remove the root certificates of
"Staat der Nederlanden". The problem is that they had used DigiNotar as
intermediate CA. There are specific updates for Firefox and Chromium but
other browsers are still affected. You can check if these certs are
still accepted by your browserb by visiting sites such as
https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
intermediate cert. ATM I don't know of any other workaround as remove
the roots certs completely.
To do so run:
sed -E 's#^(mozilla/Staat_der_Nederlanden_Root_CA.*)$#!\1#g' \
-i /etc/ca-certificates.conf
update-ca-certificates
Here are some links including more details. For now it seems Debian
wont remove these root certs. Unfortunately this would mean that every
client needs to be updated; which is also unlikely to happen. A brief
look at what Mozilla does*) should show that this system is pretty much
broken.
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
https://bugzilla.mozilla.org/show_bug.cgi?id=683449
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640567
*)
http://hg.mozilla.org/releases/mozilla-release/file/e65f4c8bd243/security/manager/ssl/src/nsNSSCallbacks.cpp
Greetings,
Pierre
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-dev-public
mailing list