On Dec 25 2008, 12:36 am, "Kyle Hamilton" <aerow...@gmail.com> wrote: > To be honest, Mozilla doesn't distribute keytool with Firefox, which > means that I have to try to go into the > (unbatchable) interface
this is false. the ui is built as xul with js bindings to c++ objects which use idl to expose methods. the js *script* which controls the user interface itself is essentially batching orders. you're free to batch this as much as you please. > remove the flags one. by. one. by. one. and then select the next > certificate and remove those trust flags, and the next, and the next, > and the next... > > ...for all hundred or so certs that Firefox includes. i've done this something like half a dozen times using a nokia n800 (or was it a nokia 770) with the built in certificate manager. Which is worse by far than the one mozilla ships. You almost have my sympathy. Except for a few details: 1. i've been working w/ the nokia ui people + engineers to improve their mess (i thought I had succeeded in burying their ui, but it seems rumors of its demise were greatly exagerated). 2. i've been working to improve the mozilla ui (by writing patches) what have you done? > And then, once I DO manage to do that, then with the "new and > improved" user interface updates, I then have to click at least six > times to try to figure out what's going on, and then when I do find a > site that's protected by an unknown CA certificate > (OR that I've removed the trust bits on), again, i've filed bugs and am working to improve this. what have you done? > I have to do the following: > > 1) Click 'add an exception' > 2) click 'get certificate' (why I should have to do this is beyond me, > since firefox obviously already has the certificate downloaded since > it told me 'sec_error_untrusted_issuer', which it couldn't have known > without the certificate in its possession ANYWAY) i believe this is partly to force users (not you, real normal people) to think before they blindly add issuers. There's a public bug evidencing that normal users might actually add trust to every site they encounter (because they're on an evil hot spot which is spoofing everything). You're a (professed) expert, our target audience is the average person (described above), they experience for that person must be safe and slow. thinking is good. blindly clicking through is bad. if you're an expert, you can script pieces of this (heck, there's a pref to speed up the steps you're describing). > 3) click 'view' > 4) get the name of the Issuer > 5) hope to all the gods that there's enough information in the chain > to figure out what root it's supposed to be going to if there isn't, then you shouldn't be trusting it. heck. if there isn't, go try to find a phone number and get the web server operator to fix their server. -- and yes, i've done this, iirc it was last month, i got sun to fix one of their servers. > 6) close the window > 7) go into Preferences > 8) click Advanced > 9) click Encryption > 10) click 'View Certificates' > 11) Scroll through the list, with each click giving me approximately > 0.6 useful results (given the preponderance of 'section headings by > root owner', which by the way doesn't work at all with the Addtrust AB > stuff since those are Comodo roots) i've written a patch to improve this ui (with an eye to making the n800 user experience better). > 12) find the appropriate root and re-enable it for identification of websites this seems useless. w/ my patch you could search by any criteria. > 13) refresh the page. > > How 'bout this, Nelson (and I invite Frank and the entire security UI > team to do this, as well): YOU do it. Create a new profile and > manually remove the trust on every CA. Then, browse around, and see > which CAs are actually used by you in your day-to-day browsing, > reenabling them manually (since you're trying to emulate not having > keytool around). been there, done this. > Furthermore, even when keytool IS available, it's entirely likely that > its name conflicts with Java's keytool. (especially on Mac OSX.) it's called certutil. > This is completely unworkable, and discourages users that want to from > taking their security into their own hands. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
