DigiNotar Root CA is permanently trusted exception

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
akademiker

DigiNotar Root CA is permanently trusted exception

Unread post by akademiker » 2021-05-03, 13:36

After updating PaleMoon I noticed that "DigiNotar Root CA" is automaticaly added to the TLS exceptions for the server "*". This tab is usualy used for TLS exceptions when you TRUST a server that has non-validated certificate. DigiNotar Root CA is a compromised CA and usualy added to a DISTRUST list in every browser. I tried a fresh install on windows and linux and both automaticaly had the DigiNotar cert as a trusted server cert for everything. See attached screenshot.
I noticed it in the version 29.2.0, but it could have been there for a longer time. Is it just a UI bug or did someone compromise the build system or added a backdoor in the source code?
Attachments
palemoonoopsie.JPG

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: DigiNotar Root CA is permanently trusted exception

Unread post by Moonchild » 2021-05-03, 13:49

If you examine the certificate details you will see that it is an explicitly distrusted certificate entry. This was added as a certificate (which can't be used to sign anything since it's invalid) to explicitly prevent having it added as a server certificate (since it's already present in the store).

It's not really a cert, it's really more of an anti-cert, there to block DigiNotar even if some dumb user tries to click through the "Add Exception..." button.

The evidence is that it says "Could not verify this certificate because it is not trusted".
You can't revoke a self-signed root CA, so the only reason a root cert would not be trusted is if you open the "Details" tab and see that it's not actually a cert, but some non-standard object called Builtin Object Token:Explicitly Distrust DigiNotar Root CA.
(Root certs don't have CRLs so this is necessary to manage explicitly distrusting a root cert and preventing exceptions).

Yes, it's a bit of a hack but it's effective (and wouldn't actually be needed if people would not just blindly add exceptions everywhere).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

akademiker

Re: DigiNotar Root CA is permanently trusted exception

Unread post by akademiker » 2021-05-03, 13:55

Alright, it's a little weird since it's shown in the same tab where the trust exceptions are added. In firefox and waterfox the same distrust is added in the nssckbi library, but not shown in the UI.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: DigiNotar Root CA is permanently trusted exception

Unread post by Moonchild » 2021-05-03, 14:51

Quite possible they took extra steps to hide it from the UI. I don't know.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked