DigiNotar issued a fraudulent certificate for Google, probably to Iran. Rumours that it could be more than Google – effectively they are toast as trusted authority I would think. Discussion:

• Google follow-up
• Hacker News original comments
• Hacker News follow-up comments

Something similar happened with Comodo a few months back. Probably browser vendors and operating systems will soon remove DigiNotar’s trusted root certificate. In the meantime there is a “How do we remove these?” discussion on Hacker News. To summarise:

I prefer to disable rather than remove in case policy changes or more details emerge. I am not an expert, please point out any problems if you read this.

Browser level

• Chrome

  1. Check for updates

  Chrome mitigates the attack by using certificate pinning (not a total solution, but helps here), and manages certificates using whatever the operating system provides.

• Firefox

  1. remove the certificate
  2. • Linux
       • Edit->Preferences
     • Windows
       • Firefox->Options
  3. Advanced->Security->View Certificates->Authorities
  4. Find DigiNotar
  5. 1. Probably you can just click Edit Trust and deselect everything, but…
     2. because there was an implication that distrust was different to unticking everything, I used both this and the “Delete or Distrust” button.
  6. Check for updates.

• Internet Explorer

  1. Tools->Internet Options->Content->Certificates->Trusted Root Certification Authorities
  2. Find DigiNotar
  3. Advanced->Untick everything
  4. Check for updates

• Safari

  1. check for updates

  Uses the operating system-provided method.

Operating System level

• Windows (XP, not sure about others)

  1. Start->Run->certmgr.msc
  2. Trusted Root Certification Authorities->Certificates->Right-click DigiNotar->Properties
  3. Use “Disable all purposes for this certificate”

• Mac OS X

  1. Run Keychain Access
  2. Use the padlock in the upper left to unlock the system keychain with an admin account
  3. select System Roots from the list of available Keychains in the upper left
  4. Find and select DigiNotar Root CA
  5. Get info (Command-I or hit the “i” in the bottom area of this window)
  6. Open the Trust section
  7. For “When using this certificate” select Never Trust.

• Linux

  • Maybe using certutil, which probably needs installing:
  • Maybe using update-ca-certificates
  • Maybe hand-edit /etc/pki/ files

  Not clear to me.

  • Check for updates

• Blackberry

  1. Options->Security Options->Advanced Security Options->Certificates
  2. Look for DigiNotar (not there for me)
  3. Option button->Distrust

• iPad/iPhone

  ?? check for updates?