Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Time to remove some untrustworthy Certificate Authorities from Browser and OS

Accepted submission by fab23 at 2022-11-17 21:18:34 from the one-at-the-time dept.
Security

Already last week Bruce Schneier published An Untrustworthy TLS Certificate in Browsers [schneier.com] and now also Ian Carroll published Security concerns with the e-Tugra certificate authority [ian.sh]. Ian is famous for the dead of the EV (Extended Validation) certificates. He legally could registered a colliding entity name and then got an EV certificate for his site stripe.ian.sh. As this site is not online any more, a good write up of this is Extended Validation Certificates are (Really, Really) Dead [troyhunt.com] from Troy Hunt (also known for ';--have i been pwned? [haveibeenpwned.com]).

So it may be recommended to disable / remove trust for all the Certificate Authorities (CAs) named:

  • TrustCor
  • E-Tugra

In Mozilla Firefox and Thunderbird go into Settings and search for "View Certificates" and click on it. In the new opened window choose "Authorities" on top right and go through the list and mark the above mention CAs (where there is a "Builtin Object Token" and click on "Edit Trust..." at the bottom. In the now just opened popup deselect both options for "This certificate caan identtify ..." and click "OK". When through with mention CAs, click on "OK" again.

In macOS open "Keychain Access" and select "System Roots" on the left side. You can either scroll through and find the CAs, or use the search on top right. Mark the CA and do a right mouse click (or Ctrl-click) and select "Get Info". In the newly opened Windows click on the > arrow left of the "Trust", then below for "When using this certificate:" choose "Neverr Trust" and close the window. You may need to confirm with the credentials of an admin user to disable this CA.

On unix-like systems (like BSD or Linux distributions) it varies depending of the installed / used certificate packages and how easy it may be to remove the above mention CAs. Be aware, that with an update of the certificate package they may return again.


Original Submission