Corresponding ticket: tails#5766 (closed).
Tails should ship a (non-default) web browser profile that would not trust the CA cartel, but instead use some alternative, more agile and stronger trust system.
- Monkeysphere: tails#5763 (closed)
- Convergence: tails#6102 (closed)
- EFF's sovereign keys
- Google's proposal
- beware of the browser fingerprint
We should now provide a second iceweasel profile with all root CAs disabled.
One way to do it would be to
dpkg-divert libnssckbi.so by default,
extract all the CAs from the original
libnssckbi.so and stuff them
into the "normal X.509 usage" profile's DB.
See also the
mozilla/security/nss/lib/ckfw/builtins/README file in
nss package source tree (read
to learn how to build a
libnssckbi.so with a custom list of
According to a blog
certutil may be an adequate tool for the task:
apt install libnss3-tools certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem
What does not work is to disable this module for the no-CAs profile using:
modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"
The Freepto folks are working on wrappers around
It's also possible to use the cert_override.txt mechanism to add certificate exceptions.
Adding a CA can be done with an add-on. Presumably removing or distrusting one can too.