Hi all, On 23/2/2010 12:58 PM, Cheng Renquan wrote: > [...] > you can do investigation and find out that most Internet users well > equipped with Internet > knowledge don't like it, also don't trust CNNIC in root CA > certificates, even if you > live outside China, CNNIC in root certifcate would still be a security > threat that keeps > your firefox vulnerable to those malicious websites signed by CNNIC, >
I personally used to remove a list of certificate authorities on my computers and in firefox/other browsers. The only problem is that they get reinstalled eveytime you update the software. For example I used to remove all Verisign root/intermediate certificates after their "we issued a microsoft cert to a non-authorized person" massive mistake in 2001. CAs get paid tons of money JUST to verify that certificate requests belong to entities that apply for them, so if they screw up they basically loose the trust we have in them. At least for a while. Recently I stoped uninstalling verisign certs, it was getting too much of a hassle and besides, verisign bought back their trust over time. So the bottomline is that if you personally don't have trust in the CNNIC root certificate, simply uninstall it from all your trusted root CA stores (system, browsers, etc..). Obviously it wouldn't prevent threats/attacks against lambda users, but you'd be protected yourself. Have a nice day, Fabrice. -- Fabrice A. Marie FMA Risk Management Solutions http://www.fma-rms.com/ _______________________________________________ LUGS Mailing list - [email protected] List FAQ: http://wiki.lugs.org.sg/LugsMailingListFaq Info page: http://www.lugs.org.sg/mailman/listinfo/slugnet To unsubscribe send an empty email to: [email protected]
