[arch-dev-public] How to disable the DigiNotar root cert on Arch
Ionut Biru
ibiru at archlinux.org
Wed Sep 7 13:45:34 EDT 2011
On 09/07/2011 08:02 PM, Jan de Groot wrote:
> On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
>> I did a brief test with curl and webkit browsers such as rekonq. They
>> accept the certificates from the site mentioned above unless I disable
>> "Staat der Nederlanden CA". Afaik Firefox does an explicit check if
>> there is a diginotar cert within the chain; other browsers and clients
>> most likely don't. So I still think its the easiest for most people to
>> disable those certs as well.
>
> I tried epiphany, that browser doesn't even give a warning when a cert
> is invalid. One week ago the cert for GNOME bugzilla was expired,
> Firefox couldn't add an exception, making it unable to visit
> bugs.gnome.org, but epiphany just shows the website without any warning.
> When I check a DigiNotar signed website, Epiphany shows a broken lock in
> the address bar, so though it's SSL, it says the security is broken.
>
epiphany is kinda broken. it does say for all websites that the security
is broken. I wonder if we are missing something...
https://bugzilla.gnome.org/show_bug.cgi?id=611496
>> But yes, I am not absolutely sure as the information you can found in
>> the media atm is not that accurate. E.g. heise states that Microsoft
>> will remove the Nederlands root cert completely.
>
> Heise is wrong IMHO. When the DigiNotar hack was made public, all
> browser companies issued updates. Both Microsoft and Mozilla added
> checks to their browsers to see if a cert originates from "Staat der
> Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT
> uncovered a report about the security at DigiNotar and that not any cert
> ever issued by this company should be trusted, Mozilla and Microsoft
> decided to remove that exception and just disable all DigiNotar
> certificates.
> I pulled in this update through Windows Update this morning, I had to
> reboot for it (Windows XP). On Windows XP you don't have to reboot for a
> base certificate update, so this is an update that touches code instead
> of some certificate store.
>
--
Ionuț
More information about the arch-dev-public
mailing list