On Monday, July 07, 2014 15:38:31 Gary Mort wrote:
> On 07/06/2014 01:38 PM, Chris Knadle wrote:
> > On Saturday, July 05, 2014 23:11:08 Gary Mort wrote:
[...]
> Mozilla Firefox uses
> 1) Files stored in /etc/ssl/certs directory plus some hardcoded ones
> 2) $HOME/.mozilla/firefox/{profilename}/certX.db [x is an integer from 1
> to 9]
> 3) $HOME/.mozilla/firefox/{profilename}/keyX.db [x is an integer from 1
> to 9]
> 4) Does not use SSH keys
>
> Google Chrome uses:
> 1) Gnome keyring plus some hardcoded ones
> 2) Gnome keyring
> 3) Gnome keyring
> 4) Does not use SSH keys
>
> The "plus some hardcoded ones" is especially annoying - basically all
> those EV root CA certificates are hardcoded directly into the browser
> and you can't delete them.
Yeah, I don't like that either. I would imagine that you could get the source
code package for Firefox or /Chromium/ and modify that to remove hardcoded
keys, but with Google Chrome you'd be out of luck there.
> At the end of the day, I'd rather just have a empty 'official' keychain
> and just automatically add roots to my personal keychain as I need to.
> It's more secure then trusting the root certificates.
I'm wondering if that's what the Tails distribution may have done with their
browser packages.
https://tails.boum.org/
Since that's a Debian-based distribution, it might be interesting to see if
they've done this by getting their browser source package and comparing it
with Debian's via 'debdiff' to find the package differences.
-- Chris
--
Chris Knadle
[email protected]
_______________________________________________
Mid-Hudson Valley Linux Users Group http://mhvlug.org
https://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
Upcoming Meetings (6pm - 8pm) Vassar College
May 7 - Personal 3D Printing
Jun 4 - Samba: Can We All Just Get Along?
Jul 2 - Mad Science Fair IV
