[tor-talk] TBB 2.2.32 & Automatic Updates

Erinn Clark erinn at torproject.org
Tue Sep 6 01:20:43 UTC 2011


* cgp3cg <cgp3cg at gmail.com> [2011:09:06 07:52 +1000]: 
> Thanks Erinn,
> 
> I've also discovered that with this version FF defaults to saving
> passwords, and that there a 4 CA certificates present for DigiNotar and
> 2 for DigiNotar B.V.
> 
> The first isn't a huge issue, but according to the changelog for 2.2.32-2:
> 
> * Update Firefox to 6.0.1, with an additional patch to exclude
>   DigiNotar completely
> 
> I've also had a quick poke at a few older versions (the only ones I have
> handy):
> - 2.2.25 (FF 4.0.1)
> - 1.1.3 (FF 3.6.13)
> 
> and both only show 1 CA cert for DigiNotar. Stock standard FF 6.0 also
> only had one, and it's now gone completely from 6.0.1 ... so why the
> presence of four in TBB?

This is a change in Firefox 6.0.2 where they list them so they can explicitly
distrust them. If you click on Aurora->Preferences (or Options, I think, in
Windows)->View Certificates->then click on any of the DigiNotar things present,
it will say at the top "Explicitly Distrust [...]".

You can see some more of that here: 
https://hg.mozilla.org/releases/mozilla-release/rev/55b5cd1ce8fe

This basically superseded our (and their) patches, and I think the reason there
are so many more listed is because they got all of them, including
intermediaries. To be honest, while Mozilla has been very helpful and
responsive to us, we don't have complete insight into their decision-making
processes so we are trusting them to do the right thing here, at least right
this minute with the given time-constraints. When things have settled down a
bit more we will probably revisit how TBB handles certs overall. In essence,
there has been a lot of turbulence with this release (which happened 2 weeks
early because of this mess, and then went through a bunch of rapid changes
immediately after) so everything is a bit wobbly.

We're going to be making some more radical changes and the build/QA team is
basically just me, for all platforms, except when other devs & volunteers pitch
in. Would you be interested in helping us out with better testing?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 495 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110906/c4f148a5/attachment.pgp>


More information about the tor-talk mailing list