Hacker News new | ask | show | jobs
by MarkG509 4096 days ago
Thanks for the reminder to recheck my certs. I manually wiped CNNIC (among others) when the news first broke, and with today's Firefox update, I'll check again.
1 comments
Laforet 4096 days ago
You can't just "wipe" a Root CA on Windows - you have to explicitly untrust it.
link
yuhong 4096 days ago
Open certmgr.msc and put the certificate into the "Untrusted Certificates" store.
link
zaroth 4096 days ago
I don't remember deleting it, but also can't find one that seems to be from CNNIC.

Does anyone keep a list of ones they personally like to mark as Untrusted, which doesn't break [too many] sites?

link
svenfaw 4096 days ago
Look for "China Internet Network Information Center EV Certificates Root" and "China Internet Network Information Center (CNNIC)" (thumbprints 4F99AA93FB2BD13726A1994ACE7FF005F2935D1E and ‎8baf4c9b1df02a92f7da128eb91bacf498604b6f)
link
mike_hearn 4096 days ago
Windows downloads root certs just in time.
link
zaroth 4095 days ago
Yes, of course! So now I need to figure out how I can add a thumbprint to a Untrusted Cert store...
link
unluckier 4095 days ago
And why exactly do they do this?
link