CAcert System Admins discussion list

[Mark Lipscombe <mark AT cacert.org>]

On 12/19/2009 6:09 AM, Dieter Hennig wrote:
> Dear Ian,
>
>
> Hope, I can express it well. Please do two experiments.
>
> a.) Install Opera-browser and look to https://www.cacert.org
>
> What you see?

This is nothing to do with MD5.  This is due to a change in how Opera 10 
queries our OCSP responder.  Our OCSP responder does the "wrong thing", 
and needs to be fixed.  Opera is the only browser that acts this way, 
though.

Someone with more knowledge of the problem and the work on the solution 
might want to let us know where that is at?  The OCSP situation with 
Opera is a real bug and should be addressed ASAP.

> b.) Please use the Firefox and install the plug-in
>
> SSL Blacklist
>
> from here
>
> http://codefromthe70s.org/sslblacklist.aspx
>
> and then go to
>
> https://dev.cacert.cl
>
> We have that tool everywhere in the field.

That tool is simply incorrect.  If you read the last paragraph in the 
lovely bright yellow at the author's site, he admits as much.  There is 
even a suggestion of how to turn off the helpful feature that brings up 
a warning for that particular problem.

If you have any certificates in your trusted store that still sign new 
certificates using MD5 and this vulnerability concerns you, you should 
remove those roots from the trusted store in your deployments.  Relying 
on a Firefox addon that someone will likely just click through anyway is 
no security at all.

In the alternative, sign your certificates from the Class 1 root or 
distribute the class 3 certificate in the trusted store.  This will not 
generate any errors using that addon.

Regards,
Mark