Request: allow/block intermediate certificates

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
dave on linux

Request: allow/block intermediate certificates

Unread post by dave on linux » 2016-05-27, 17:31

Hello. There is a trust issue I don't know yet how to ideally handle:

Symantec/VeriSign has issued an intermediate certificate for Blue Coat Systems "which permits the company to issue transparent man-in-the-middle certificates that will not cause browsers to warn about an untrustworthy connection". As such I don't want to trust intermediate certificates issued by Symantec/VeriSign any longer. Through "Preferences > Advanced > View Certificates > Authorities" I can remove included root certificates, but a finer grained way to allow/block intermediate certificates without touching root certs is not available.

Alternately Symantec/VeriSign could be removed altogether by default in Pale Moon, but I assume this might be more debatable than making intermediate certificates configurable as well.

Or might there be a more elegant approach to handling such cases I haven't thought of?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: allow/block intermediate certificates

Unread post by Moonchild » 2016-05-27, 17:51

You can always edit the trust of the intermediate certificates in the certificate manager for a finer-grained control.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dave on linux

Re: Request: allow/block intermediate certificates

Unread post by dave on linux » 2016-05-27, 18:46

Sorry, I'm not sure I understand you correctly. The certificate manager is what's at "Preferences > Advanced > View Certificates"? So the intermediate certificates only appear there within the issuing CA section after first encountered? Can a specific intermediate certificate be blocked even before it's added to the local list? Thank you!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: allow/block intermediate certificates

Unread post by Moonchild » 2016-05-27, 21:43

If you know beforehand which certificates you want to distrust, then you can import those certificates yourself and set the trust on them. I'm assuming this is going to be a very small number of certificates you explicitly want to distrust.

If you want to distrust all intermediate certificates handed out by a certain CA, then you should distrust their root certificate used to anchor the trust chain for those intermediates.

To enable proper operation, and to prevent the browser from having to ship all known intermediate CA certs (which have a lot of churn anyway), a browser will enter the intermediate certificates when first encountered (presented by the secure server you visit); that is just how this works. Because it can't know beforehand about these certificates, there is no way to edit trust beforehand unless you import those certificates yourself before your first visit.

Before you ask if there is a way to ask each time a new intermediate CA cert is encountered: no there is not. having such a setting would literally flood the user with certificate confirmation requests and that is not practical.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dave on linux

Re: Request: allow/block intermediate certificates

Unread post by dave on linux » 2016-05-30, 17:33

Thank you for the explanation.

One last question for clarification, since one has to first manually import certificates that one wants to distrust: There is a "Delete or Distrust..." button which appears to remove the imported certificate again. Does that actually permanently distrust said certificate, or does that return to the state before the manual import (which would be the opposite effect of distrusting)?

Also would it be possible to allow searching/filtering the listing of authorities? It's long and nested enough for a search to be a big help I think.

dave on linux

Re: Request: allow/block intermediate certificates

Unread post by dave on linux » 2016-06-14, 22:35

Well, Symantec solved my particular problem by buying Blue Coat Systems so I removed all their root certs altogether.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Request: allow/block intermediate certificates

Unread post by Moonchild » 2016-06-15, 05:58

dave on linux wrote:Well, Symantec solved my particular problem by buying Blue Coat Systems so I removed all their root certs altogether.
Be aware that Symantec is the root authority for a large number of sites on the web.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dave on linux

Re: Request: allow/block intermediate certificates

Unread post by dave on linux » 2016-06-15, 10:45

Moonchild wrote:Be aware that Symantec is the root authority for a large number of sites on the web.
I kinda am. The forced error message now help me getting a clearer picture of who uses TLS through that questionable connections, which is also not a bad thing. (Though I honestly didn't expect Twitter of all sites to use them.)

Locked