[ubuntu-hardened] Firefox 32 and 2005 TÜRKTRUST Elektronik Sertifika Cert.

Seth Arnold seth.arnold at canonical.com
Tue Sep 30 01:58:38 UTC 2014


On Sun, Sep 28, 2014 at 04:16:49PM +0200, Daniel Curtis wrote:
> Today I updated my Firefox to the 32.0.3 version. I've
> noticed (via Edit | Preferences etc.) TÜRKTRUST Cert,
> which has a Debian Bug Report (#697366)*. I would like
> to ask if it's normal and everything is okay?
> 
> From a 'Debian Bug Report' point of view, not everything
> is clear when it comes to the TÜRKTRUST. What do You
> think about this? Is there something to worry about?
> 
> Sorry for asking here, but - to be honest - it is/was little
> shocking (when I noticed this) and this forum was the first
> place... Sorry once again.
> 
> Best regards.
> _____________
> * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697366

Hello Daniel,

We can't ourselves audit certificate authorities for reasonable operation
and correctness or decent policies, we simply don't have the resources.

Mozilla has decided to leave some TURKTRUST certificates in their
certificate store and we assume they have done research on the issue to
satisfy themselves that leaving those certificates enabled is overall
more benficial for their users.

http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/

You can remove the root cert if you would rather not trust them at all:

https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate

It's more work to remove certificates from the ca-certificates package;
I believe it would require using dpkg-divert to prevent the specific
files from being included on your system, deleting the specific files,
and then re-running dpkg-reconfigure ca-certificates.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20140929/09d7e035/attachment.pgp>


More information about the ubuntu-hardened mailing list