![]() |
[SOLVED]Security: Fraudulent *.google.com Certificate
"Issue
Mozilla was informed today about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. This is not a Firefox-specific issue, and the certificate has now been revoked by its issuer, DigiNotar. This should protect most users. ..." http://blog.mozilla.com/security/201...m-certificate/ and http://www.h-online.com/open/news/it...s-1333088.html Can we switch that off for our browsers (MicroB,Fennec, Opera)? See also http://support.mozilla.com/en-US/kb/...inotar-ca-cert Certificate Manager (in Settings) only allows to import a certificate. How do I delete one? |
Re: Security: Fraudulent *.google.com Certificate
Open a bug, seriously, there is a chance Nokia to react
|
Re: Security: Fraudulent *.google.com Certificate
I manually deleted diginotars certificate on my laptop (as per mozilla's instructions), and then copied the cert8.db file from within the firefox directory to the phone.
Going to https://www.diginotar.com/ presented me with an invalid certificate, so it's working. Edit: You could also use certutil to remove just the one certificate, you'll have to copy your cert8.db over to a computer that can run the certutil program, and the copy the database back over. |
Re: Security: Fraudulent *.google.com Certificate
This is very important. And it seems there is no way to manage certificates on maemo, which is a shame. So yeah, as jd4200 said, simply delete the certificate on your computer, then copy the cert8.db to /home/user/.mozilla/microb/. Not sure how microb makes usage of OCSP.
Edit: better this http://talk.maemo.org/showpost.php?p...7&postcount=12 and http://talk.maemo.org/showpost.php?p...86&postcount=7 Anyway, it's an OS from October 2010. I bet there much much more security issues, probably even remote :-). |
Re: Security: Fraudulent *.google.com Certificate
Quote:
It think this only helps for Fennec. Anyway: I contacted a security email address at Nokia, let's see, if they answer. |
Re: Security: Fraudulent *.google.com Certificate
Quote:
Anyway, OCSP in microb: security.OCSP.enabled=1 security.OCSP.require=false Which means AFAIK: "Contact an OCSP server if the certificate has one listed. If not, then do not. " "Also, if the connection to the OCSP server fails, do not think it is invalid/revoked." But I would not rely on OCSP anyway. However, some people might want to change this. |
Re: Security: Fraudulent *.google.com Certificate
Quote:
|
Re: Security: Fraudulent *.google.com Certificate
Quote:
|
Re: Security: Fraudulent *.google.com Certificate
Quote:
|
Re: Security: Fraudulent *.google.com Certificate
Quote:
Actually the browser (the backend) crashes (the coredump has been uploaded by the crash reporter). This explains why the UI remains in the same state. |
All times are GMT. The time now is 03:16. |
vBulletin® Version 3.8.8