Just installed Ubuntu 18.04 LTS, and noticed in Mozilla Firefox 70.0.1 (64-bit), two strange certificates that rang a bell for some reason. Not wanting to trust anywhere on the web for information in case I am being MiTM attacked, can anyone confirm if these two certificates are supposed to be present on a clean install?
Pic attached:
This article expose how around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper states:
To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].
Is pretty common on companies, desktop antivirus and malware/adware to add a root CA. Sometimes even with honest reasons. But to make the situation more clear: SSL web browsing is exactly as strong as the weakest CA (this includes DNS, if DNS-over-HTTPS).
I want to check if my HTTPS traffic is intercepted at least in three aspects (better if just with CLI):
So the real questions are:
checkmyhttps seems old and not trustworthy
Chrome: chrome://settings/certificates.
This is a subset of what return some of these commands?
# System wide (I)
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
# System wide (II) (`p11-kit` package)
trust list
certutil -L -d ~/.mozilla/firefox/*.default*/
I already sudo update-ca-certificates -v -f. This just updates without removing any sneaky already installed certificate?
The ca-certificates package was just updated, and it caused the following changes on my Xubuntu 13.10 system:
Running hooks in /etc/ca-certificates/update.d....
Adding debian:CA_Disig_Root_R1.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:China_Internet_Network_Information_Center_EV_Certificates_Root.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:PSCProcert.pem
Adding debian:StartCom_Certification_Authority_2.pem
Adding debian:Swisscom_Root_CA_2.pem
Adding debian:Swisscom_Root_EV_CA_2.pem
Adding debian:TURKTRUST_Certificate_Services_Provider_Root_2007.pem
Adding debian:Verisign_Class_3_Public_Primary_Certification_Authority_2.pem
Removing debian:cacert.org_class3.pem
Removing debian:cacert.org_root.pem
Removing debian:Equifax_Secure_eBusiness_CA_2.pem
Removing debian:TC_TrustCenter_Universal_CA_III.pem
I've decided I don't trust some of these CAs, and I would like to remove their certificates. How do I do that?
I obtained a client certificate from CAcert through Firefox. I want to use that certificate to sign a document created with LibreOffice Writer.
In Writer, I click File > Digital Signatures... to get the Digital Signatures dialog which is supposed to show the list of certificates available. The list is empty.
How can I make the certificate, which I obtained via Firefox, available to Writer?
Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?
I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.