[conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Adrien Lamothe alamozzz at yahoo.com
Fri Sep 9 12:05:07 PDT 2011

Yes, looking at the screen shot I took, CertWatch was informing me that a new root certificate was found. So I did have a good reason to be alarmed at the contradictory data in the certs. Firefox must have marked the certs as un-verifiable. I apologize for the mis-communication; I've been moving very fast lately so the series of pop-ups were essentially a delay to me getting back into my browser.

The Debian patches for actively distrusting the DigiNotar certs just hit Ubuntu.

From: Rick Moen <rick at linuxmafia.com>
To: conspire at linuxmafia.com
Sent: Friday, September 9, 2011 11:39 AM
Subject: Re: [conspire] Comodo-signed bogosity (was: DigiNotar Damage Disclosure)

Quoting Adrien Lamothe (alamozzz at yahoo.com):

> Right. So, the problem on my end was:
>     1. I update Firefox.
>     2. Upon restarting Firefox, CertWatch informs me it wants to update certificates.

Huh.  This seems unfamiliar to me, from my brief usage of the CertWatch /
Certificate Watch extension for Firefox.  (There's an entirely different
CertWatch you'll find in Web searching, a cronjob that periodically
checks installed SSL certs inside your Web server to spot any that are
nearing expiration.)

As the docs and third-party articles (such as
http://simos.info/blog/archives/1179) say, the first time I started
Firefox (Iceweasel) after installing the CertWatch extension, there was
a delay of some seconds while it parsed the 150-odd root certs and wrote
information about them into SQLite, but I can't remember ever seeing 
CertWatch tell me it 'wants to update certificates'.  (Actually, I'm not 
even sure what that phrase means in this context.  What would CertWatch
have to do with 'updating certificates'?  CertWatch doesn't fetch or
update certificates; it merely lets you know whenever a root cert,
intermediate signature, or site SSL certificate first comes to its
attention _or changes_.)

>     3. CertWatch then proceeds to pop up a procession of
> windows, each with cert data, each with "OK" and "Cancel" buttons.

This _sounds_ like the displays it pops up when a root cert /
intermediate signature / site SSL certificate first comes to CertWatch's
attention (or changes).

>     4. I see contradictory information in the cert data. But I
> trust that CertWatch knows what it is doing (which it did.) However,
> CertWatch doesn't tell me it is de-verifying those certs, merely that
> it is updating them.

Again, I don't get it:  CertWatch doesn't 'de-verify' or 'update'
anything (except it does quietly update its own records in SQLite).  It
merely informs you about cert changes / new-to-it SSL stuff.

However, when you say 'updating', you may be referring to CertWatch
popping up a dialogue saying (paraphrased) 'You've just loaded a page
attested by this SSL thingie that I've never seen before (or has

> Perhaps CertWatch should add a notation during update notification, as
> to the nature of the update.

I'm really sorry, but I have no idea what 'update' you are talking

conspire mailing list
conspire at linuxmafia.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20110909/5459062b/attachment.html>

More information about the conspire mailing list