[SOLVED]Security: Fraudulent *.google.com Certificate
 

"Issue

Mozilla was informed today about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. This is not a Firefox-specific issue, and the certificate has now been revoked by its issuer, DigiNotar. This should protect most users.
..."
http://blog.mozilla.com/security/201...m-certificate/

and
http://www.h-online.com/open/news/it...s-1333088.html

Can we switch that off for our browsers (MicroB,Fennec, Opera)?
See also
http://support.mozilla.com/en-US/kb/...inotar-ca-cert
Certificate Manager (in Settings) only allows to import a certificate.
How do I delete one?

Re: Security: Fraudulent *.google.com Certificate
 

Open a bug, seriously, there is a chance Nokia to react

Re: Security: Fraudulent *.google.com Certificate
 

I manually deleted diginotars certificate on my laptop (as per mozilla's instructions), and then copied the cert8.db file from within the firefox directory to the phone.

Going to https://www.diginotar.com/ presented me with an invalid certificate, so it's working.

Edit: You could also use certutil to remove just the one certificate, you'll have to copy your cert8.db over to a computer that can run the certutil program, and the copy the database back over.

Re: Security: Fraudulent *.google.com Certificate
 

This is very important. And it seems there is no way to manage certificates on maemo, which is a shame. So yeah, as jd4200 said, simply delete the certificate on your computer, then copy the cert8.db to /home/user/.mozilla/microb/. Not sure how microb makes usage of OCSP.
Edit: better this http://talk.maemo.org/showpost.php?p...7&postcount=12 and http://talk.maemo.org/showpost.php?p...86&postcount=7

Anyway, it's an OS from October 2010. I bet there much much more security issues, probably even remote :-).

Re: Security: Fraudulent *.google.com Certificate
 

I am not sure if cert8.db from another machine contains all the necessary certificates for N900.
It think this only helps for Fennec.

Anyway: I contacted a security email address at Nokia, let's see, if they answer.

Re: Security: Fraudulent *.google.com Certificate
 

These are just certs for microb. I don't see any problem here.

Anyway, OCSP in microb:
security.OCSP.enabled=1
security.OCSP.require=false

Which means AFAIK: "Contact an OCSP server if the certificate has one listed. If not, then do not. " "Also, if the connection to the OCSP server fails, do not think it is invalid/revoked."

But I would not rely on OCSP anyway. However, some people might want to change this.

Re: Security: Fraudulent *.google.com Certificate
 

For microb, just point your browser to chrome://pippki/content/certManager.xul (I've set up a bookmark for this) to get access to the certificate management interface.

Re: Security: Fraudulent *.google.com Certificate
 

After trying to remove the DigiNotar root CA certificate with this, https no longer works at all! I just get a blank window for any https URL I try. It seems that the browser still tries to connect...

Re: Security: Fraudulent *.google.com Certificate
 

No idea how that's happened - it won't actually let you remove the certificate anyway (it appears to work, but re-opening the certificate manager shows it back again).

Re: Security: Fraudulent *.google.com Certificate
 

Yes, I noticed that. That's why I removed the certificate 8868bfe08e35c43b386b62f7283b8481c80cd74d.pem manually from /etc/certs/common-ca and the corresponding symlink (c0cafbd2.0).

Actually the browser (the backend) crashes (the coredump has been uploaded by the crash reporter). This explains why the UI remains in the same state.