Just installed Ubuntu 18.04 LTS, and noticed in Mozilla Firefox 70.0.1 (64-bit), two strange certificates that rang a bell for some reason. Not wanting to trust anywhere on the web for information in case I am being MiTM attacked, can anyone confirm if these two certificates are supposed to be present on a clean install?
- DigiNotar Root CA
- DigiNotar PKIoverheid CA Organiste - G2
Pic attached:
Yes, these certificates are supposed to be there, exactly because DigiNotar isn't trustworthy. Let me explain.
The story is a bit convoluted: DigiNotar was a Dutch certification authority. In 2011, people ran across fraudulent certificates that had been issued by DigiNotar. Further examination showed that the company's systems had been cracked and compromised. It's assumed that the attacker's intention was to run a MitM attack on some GMail users in Iran with the fraudulent certificates.
After the breach was detected, the Dutch government took over DigiNotar's operations. A short time later, the company went under. DigiNotar's root certificates were revoked and blocked by Mozilla, Google and so forth.
So, why is Firefox still shipped with DigiNotar certificates? Those are what you might call "blocking certificates". They don't have any trust themselves, so they can't hand down any trust to any other certificates down the chain of trust. Because of that, Firefox won't trust any certificates that say, "Trust me, because DigiNotar signed me". And because the "blocking certificates" are there, no new root certificates for DigiNotar (which would be obviously fraudulent) can be installed, too.