https://www.schneier.com/blog/archives/2022/11/an-untrustworthy-tls-certificate-in-browsers.html
@Kyle_Rankin, should we delete Trustcor certificates from our browsers?
1 Like
Generally I tend to wait for browsers to officially make a move, however depending on your threat model I guess you could take preemptive action. The thing is, this isn’t the first time a CA has been found to be compromised and a number of years ago when it happened among the first times, many major companies responded first by implementing HPKP which was ultimately rejected (because of complexity and also the risk of an attacker being able to take your site offline indefinitely) in favor of Certificate Transparency so you can detect attempts at tampering.
Moxie Marlinspike (of Signal fame) also proposed a different way to combat this with something he named Convergence. The idea there was that it was difficult to MiTM the whole world, so one could confer with trusted third parties when they receive a cert, to gauge whether it was trustworthy.
2 Likes
Thanks, Kyle. I think Mozilla is currently requesting an explanation from the suspect party, according to the links in that article.
I see that it’s easy to delete certificates from the Settings in Firefox and Thunderbird, but unclear if that’s the case with Epiphany…? (And I haven’t set up an account in Geary on the L5, so I don’t know about that one.)
Do you mean distrusting the authority when you say deleting the certificates?
Mozilla uses the inclusive phrase “delete or distrust.”
(And doesn’t offer a way to specifically do only one or the other.)
If memory serves, I believe if you delete all the certs under an authority, it then distrusts that authority, but I can’t recall off the top of my head.
Update: Mozilla and Microsoft distrust TrustCor root certificates:
https://www.ghacks.net/2022/12/02/mozilla-and-microsoft-distrust-trustcor-root-certificates-in-their-browsers/