| 1 |
On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <joost@××××××××.org> wrote: |
| 2 |
>On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: |
| 3 |
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote |
| 4 |
>> |
| 5 |
>> > 125 config files in /etc/ssl/certs needs update. |
| 6 |
>> > |
| 7 |
>> > For certificates I would expect the old and invalid ones to be |
| 8 |
>replaced |
| 9 |
>> > by newer ones without user intervention. |
| 10 |
>> |
| 11 |
>> Looking through them is "interesting". There seem to be a lot of |
| 12 |
>> /etc/ssl/certs/????????.0 files, where "?" is either a random number |
| 13 |
>or |
| 14 |
>> a lower case letter. These all seem to be symlinks to |
| 15 |
>> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a |
| 16 |
>> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How |
| 17 |
>much |
| 18 |
>> do we trust China? There are a couple of certificates in there named |
| 19 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and |
| 20 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any |
| 21 |
>> other suspicious regimes in there? |
| 22 |
> |
| 23 |
>I've always wondered about the amount of CAs that are auto-trusted on |
| 24 |
>any |
| 25 |
>system. Including several from countries with serious human rights |
| 26 |
>issues. |
| 27 |
> |
| 28 |
>I could do with a tool where I can easily select which CAs to trust |
| 29 |
>based on |
| 30 |
>country. |
| 31 |
> |
| 32 |
>-- |
| 33 |
>Joost |
| 34 |
|
| 35 |
Is there actually any tool that can let me pick my certificates? |
| 36 |
If i go and start deleting randomly certificates from regimes i dont like will there be any "breaking change"? |
| 37 |
I suppose firefox uses its own certificate store though. |
| 38 |
|
| 39 |
Marinus |
Archives