[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)
Rick Moen
rick at linuxmafia.com
Fri Sep 9 11:39:12 PDT 2011
Quoting Adrien Lamothe (alamozzz at yahoo.com):
> Right. So, the problem on my end was:
>
> 1. I update Firefox.
> 2. Upon restarting Firefox, CertWatch informs me it wants to update certificates.
Huh. This seems unfamiliar to me, from my brief usage of the CertWatch /
Certificate Watch extension for Firefox. (There's an entirely different
CertWatch you'll find in Web searching, a cronjob that periodically
checks installed SSL certs inside your Web server to spot any that are
nearing expiration.)
As the docs and third-party articles (such as
http://simos.info/blog/archives/1179) say, the first time I started
Firefox (Iceweasel) after installing the CertWatch extension, there was
a delay of some seconds while it parsed the 150-odd root certs and wrote
information about them into SQLite, but I can't remember ever seeing
CertWatch tell me it 'wants to update certificates'. (Actually, I'm not
even sure what that phrase means in this context. What would CertWatch
have to do with 'updating certificates'? CertWatch doesn't fetch or
update certificates; it merely lets you know whenever a root cert,
intermediate signature, or site SSL certificate first comes to its
attention _or changes_.)
> 3. CertWatch then proceeds to pop up a procession of
> windows, each with cert data, each with "OK" and "Cancel" buttons.
This _sounds_ like the displays it pops up when a root cert /
intermediate signature / site SSL certificate first comes to CertWatch's
attention (or changes).
> 4. I see contradictory information in the cert data. But I
> trust that CertWatch knows what it is doing (which it did.) However,
> CertWatch doesn't tell me it is de-verifying those certs, merely that
> it is updating them.
Again, I don't get it: CertWatch doesn't 'de-verify' or 'update'
anything (except it does quietly update its own records in SQLite). It
merely informs you about cert changes / new-to-it SSL stuff.
However, when you say 'updating', you may be referring to CertWatch
popping up a dialogue saying (paraphrased) 'You've just loaded a page
attested by this SSL thingie that I've never seen before (or has
changed).'
> Perhaps CertWatch should add a notation during update notification, as
> to the nature of the update.
I'm really sorry, but I have no idea what 'update' you are talking
about.
More information about the conspire
mailing list