Hacker News new | ask | show | jobs
by jasonjei 3540 days ago
Just curious about the root certificate distrust--are users capable of re-adding trust to distrusted certificates? Or is this hard coded into the browser? I'm assuming Mozilla stores certificates outside OS stores like Keychain and Windows?
2 comments
asayler 3540 days ago
In general, locally added roots are trusted above all else -- and will even override cert pinning on most systems. Thus, if a user were to manually re-add the Wosign or Startcom roots to the local Mozilla trust store, they would continue to be trusted.
link
pfg 3540 days ago
Sounds about right, but one thing to keep in mind is that "Removal of root" is only one possible route Mozilla can go for. They could also revoke (root or intermediate) certificate(s) through OneCRL, and while I haven't tried this, my guess would be that OneCRL trumps locally-added roots.

That being said, the current plan is not to remove any of the roots (at least until all active certificates chaining up to those roots have expired), but rather not to trust certificates chaining to those roots with a notBefore date > October 21, 2016.

link
0x0 3540 days ago
Yes but why would you? If you have control of all your clients to push such a change, why not just set up a private CA instead of opening yourself up to the whims of a proven cheating CA?
link
Sanddancer 3540 days ago
Less difficult. Setting up a private CA means you have to be the CA, and vet and/or create a cert for every wosign/startcom site that people visit. One could trust them just enough depending on how heavily they depend on affected sites. I personally would rather whitelist sites as-needed, but can see why some admins would go the easier route.
link
0x0 3540 days ago
Existing certs will continue to work until they expire. So "re-adding trust" to WoSign doesn't make sense. No sane site operator would renew their cert with WoSign since they will lose all Firefox and Apple clients.
link
Sanddancer 3540 days ago
I wasn't saying it was a sane way to do it, just the easiest. I could also see it turning into a nationalism issue -- "The West is unfairly attacking native CAs." -- as impetus to try to convince people to manually trust and/or renew certs with them.
link