Active Topics
-
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (4)
to SailfishOS by Maemish - 3 hrs, 33 mins ago -
The N900 is now 15 years old! (6)
to Nokia N900 by Macros - 1 day, 23 hrs ago -
F(x)tec Pro1x (QWERTY) for sale (0)
to Buy & Sell by aln00000 - 2 days, 12 hrs ago -
n770 youtube video (0)
to General by nmdv - 6 days, 11 hrs ago - more...
|
2011-09-01
, 11:38
|
|
Posts: 151 |
Thanked: 93 times |
Joined on Sep 2009
@ sofia, bulgaria
|
#22
|
Originally Posted by Rob1n
Strange, the xul method works ok for me. I remove the certificate, press save and I cannot find it anymore. Even with cmcli, nothing is displayed, searched both the string and parts of the id. Nothing.
No idea how that's happened - it won't actually let you remove the certificate anyway (it appears to work, but re-opening the certificate manager shows it back again).
When I try to access https://diginotar.com/, I receive "Secure Connection Failed" error message.
I did several restarts. All I did was to remove it with xul method described by Rob1n.
| The Following User Says Thank You to lidow For This Useful Post: | ||
|
|
2011-09-01
, 11:51
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#23
|
Originally Posted by Pigro
That should be okay then, yes - you can check by going to https://www.diginotar.com/. If you get a security error then the certificate has been completely removed.
I removed the certificate from the Root CA store as you advised, which went fine. I then tried to remove from MicroB via the certificate mgmt interface - but there was no entry for DigiNotar present. I assume that is OK and I need take no further action?
 |
|
2011-09-02
, 13:51
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#24
|
Looks like every N900 reacts unique here 
I have used the mgmt interface, removed the DigiNotar cert and/but after a browser restart the DigiNotar cert was again present.
Then used the cmcli method and the DigiNotar still shows up in browser, but I get the security issue; so assuming everything is Okay.
Hey rob1n,
thanks for explanation.
those hacked CAs were 'cleaned' via an update of browsers (FF. IE, ...), right? Which we never got/will ever get.
Or what do You mean with 'revoked'?
I have used the mgmt interface, removed the DigiNotar cert and/but after a browser restart the DigiNotar cert was again present.
Then used the cmcli method and the DigiNotar still shows up in browser, but I get the security issue; so assuming everything is Okay.
Hey rob1n,
thanks for explanation.
Originally Posted by Rob1n
Just one more (maybe dumb) question
There was (at least) one other CA hacked recently and some faulty certificates issued, yes. This was spotted within days and all certificates were revoked though, whereas it took DigiNotar several months to spot the hack, and they failed to revoke many of the issued certificates.
those hacked CAs were 'cleaned' via an update of browsers (FF. IE, ...), right? Which we never got/will ever get.
Or what do You mean with 'revoked'?
|
|
2011-09-02
, 14:14
|
|
Posts: 661 |
Thanked: 690 times |
Joined on Jul 2007
|
#25
|
So for those of us who don't understand these things you are doing to remove the old certificates--are we just screwed?
|
|
2011-09-02
, 15:11
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#26
|
Originally Posted by peterleinchen
There's a number of major Certificate Authorities (CAs) which issue certificates. Their CA certificates will be installed on the N900 (or with FF, IE, etc), and if you run into any not pre-loaded, they can be manually added. The browser developers will work on vetting any new ones and add them to the set sent out with new browser versions - this is where we're likely to miss out with the N900 as Nokia are very unlikely to be sending out any new lists. There's not many new ones added though, so it just means the user has to decide whether or not to trust them before adding the certificate.
Just one more (maybe dumb) question
those hacked CAs were 'cleaned' via an update of browsers (FF. IE, ...), right? Which we never got/will ever get.
Or what do You mean with 'revoked'?
The CA certificates are then used by the CAs to sign certificates for web sites, user authentication, applications, etc. When you visit a web site, it sends you the signed certificate and the browser will verify that the signature matches one of the loaded CAs (if not you get the security error).
A CA can later decide to revoke a site's certificate, in which case it gets added to a list of revoked certificates. The browser is supposed to then verify that any certificates it receives don't appear on this list, but this behaviour is sadly not very robust (some just don't check and many will, if they fail to get a response, just assume it's okay).
So previously hacked CAs have just revoked all the certificates. Removal of the CA from the trusted list is a major step, and means that no sites using their certificates will show as trusted any more. For the really major CAs (Comodo, Verisign, Thawte, etc), this is just not a reasonable option. Fortunately DigiNotar is a very small scale outfit, and blocking them will affect very few sites.
| The Following User Says Thank You to Rob1n For This Useful Post: | ||
|
|
2011-09-02
, 15:20
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#27
|
Originally Posted by lancewex
You're not screwed, no - you're pretty unlikely (outside Iran) to run into one of these fraudulent certificates. It's probably worth making the effort to follow the instructions though - they're not overly complex, even for casual users.
So for those of us who don't understand these things you are doing to remove the old certificates--are we just screwed?
- Install rootsh from App Manager (if not installed)
- Launch X Terminal
- Type "root" and press Enter
- Type "cmcli -c common-ca -r 8868bfe08e35c43b386b62f7283b8481c80cd74d" and press Enter
- Close X Terminal and launch the Web browser
- Type in "chrome://pippki/content/certManager.xul" as the URL
- Tap on "Authorities" to view the CA tab
- Scroll down to DigiNotar (they're in alphabetical order)
- Select the DigiNotar certificate (if there's more than one, repeat this and the next two steps for each)
- Click on the "Delete..." button
- Confirm to delete the certificate
- Once you're finished deleting all DigiNotar certificates, click on the "OK" button
- Browse to "https://www.diginotar.com" and check that you get a security error
Last edited by Rob1n; 2011-09-05 at 08:15. Reason: Removed erroneous http:// prefix from URL
|
|
2011-09-02
, 15:45
|
|
Posts: 433 |
Thanked: 274 times |
Joined on Jan 2010
|
#28
|
Originally Posted by Rob1n
the URL in bold above shouldn't have the "http://" prefix, I think?
You're not screwed, no - you're pretty unlikely (outside Iran) to run into one of these fraudulent certificates. It's probably worth making the effort to follow the instructions though - they're not overly complex, even for casual users.
- Install rootsh from App Manager (if not installed)
- Launch X Terminal
- Type "root" and press Enter
- Type "cmcli -c common-ca -r 8868bfe08e35c43b386b62f7283b8481c80cd74d" and press Enter
- Close X Terminal and launch the Web browser
- Type in "http://chrome://pippki/content/certManager.xul" as the URL
- Tap on "Authorities" to view the CA tab
- Scroll down to DigiNotar (they're in alphabetical order)
- Select the DigiNotar certificate (if there's more than one, repeat this and the next two steps for each)
- Click on the "Delete..." button
- Confirm to delete the certificate
- Once you're finished deleting all DigiNotar certificates, click on the "OK" button
- Browse to "https://www.diginotar.com" and check that you get a security error
__________________
n900: "with power comes responsibility".
If you buy a niche, highly modifiable smartphone and proceed to mess it up by blindly screwing around, don't just blame the phone, also blame yourelf.
n900: "with power comes responsibility".
If you buy a niche, highly modifiable smartphone and proceed to mess it up by blindly screwing around, don't just blame the phone, also blame yourelf.
|
|
2011-09-02
, 22:07
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#29
|
Originally Posted by Pigro
Yes, just chrome:// without http://
the URL in bold above shouldn't have the "http://" prefix, I think?
Originally Posted by Rob1n
Thanks for detailing. This is as I understood certs.
A CA can later decide to revoke a site's certificate, in which case it gets added to a list of revoked certificates. The browser is supposed to then verify that any certificates it receives don't appear on this list, but this behaviour is sadly not very robust (some just don't check and many will, if they fail to get a response, just assume it's okay).
So previously hacked CAs have just revoked all the certificates. Removal of the CA from the trusted list is a major step, and means that no sites using their certificates will show as trusted any more. For the really major CAs (Comodo, Verisign, Thawte, etc), this is just not a reasonable option. Fortunately DigiNotar is a very small scale outfit, and blocking them will affect very few sites.
But, that also means, we should find out those CAs -hacked a few months ago- and remove them from our cert management on N900 to be (fully) on the safe side, right?
| The Following User Says Thank You to peterleinchen For This Useful Post: | ||
|
|
2011-09-05
, 08:20
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#30
|
Originally Posted by peterleinchen
The previous one was Comodo (via an affiliate site - see http://www.f-secure.com/weblog/archives/00002128.html)- removing that will block access to a significant proportion of secure sites though.
TBut, that also means, we should find out those CAs -hacked a few months ago- and remove them from our cert management on N900 to be (fully) on the safe side, right?
| The Following User Says Thank You to Rob1n For This Useful Post: | ||
n900: "with power comes responsibility".
If you buy a niche, highly modifiable smartphone and proceed to mess it up by blindly screwing around, don't just blame the phone, also blame yourelf.