Corresponding ticket: tails#5766 (closed).
Tails should ship a (non-default) web browser profile that would not trust the CA cartel, but instead use some alternative, more agile and stronger trust system.
Candidates
- Monkeysphere: tails#5763 (closed)
- Convergence: tails#6102 (closed)
- TACK
- EFF's sovereign keys
- Google's proposal
Criteria
- beware of the browser fingerprint
Implementation
Iceweasel profile
We should now provide a second iceweasel profile with all root CAs disabled.
One way to do it would be to dpkg-divert libnssckbi.so
by default,
extract all the CAs from the original libnssckbi.so
and stuff them
into the "normal X.509 usage" profile's DB.
See also the mozilla/security/nss/lib/ckfw/builtins/README
file in
the nss
package source tree (read
online)
to learn how to build a libnssckbi.so
with a custom list of
builtin CAs.
According to a blog
post,
certutil
may be an adequate tool for the task:
apt install libnss3-tools
certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem
What does not work is to disable this module for the no-CAs profile using:
modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"
The Freepto folks are working on wrappers around certutil
:
- http://lists.autistici.org/message/20141013.235706.2496a2bc.en.html
- https://github.com/boyska/freepto-lb/blob/r-berenjena/config/hooks/certificates.chroot
- https://github.com/boyska/freepto-lb/blob/r-berenjena/config/includes.chroot/usr/local/bin/add-cert-to-firefox
It's also possible to use the cert_override.txt mechanism to add certificate exceptions.
Adding a CA can be done with an add-on. Presumably removing or distrusting one can too.