Remove TrustCor root certs

squiddo · 2022-11-12 19:58:44

Read https://pluralistic.net/2022/11/09/info … ting-trust and saw that we have TrustCor's root certs in /etc/ssl/certs.

Maybe removal is in order?

Koatao · 2022-11-12 21:15:48

So you registered an account to tell us what?
That a random blog think that TrustCor should not be trusted and we should not too?
Why should we trust you?

Do you even know how /etc/ssl/certs got to your system? Basically upstream is Mozilla. And since the issue has originally been brought to them first, they are fully aware of the matter.

To anyone interested in the issue here:
The blog is trash in terms of laying out the facts but it comes down to those two sources:
https://groups.google.com/a/mozilla.org … bBho-VBQAJ
https://www.washingtonpost.com/technolo … nnections/

Neither Mozilla, Apple and Chrome have removed Trustcor from their trusted CA list yet.

But TrustCor is a bit suspicious (to say the least) as a company.

Last edited by Koatao (2022-11-12 22:32:10)

squiddo · 2022-11-13 00:37:15

Lol.

loqs · 2022-12-11 01:11:29

@squiddo can you confirm the issue is resolved in ca-certificates-mozilla 3.86-1 currently in testing which contains [1] the fix for [2] and the November 30, 2022 expiry deadline has passed.

[1] https://hg.mozilla.org/projects/nss/rev … d01b5d38c9
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1803453

squiddo · 2022-12-12 01:28:15

Installed ca-certificates-mozilla-3.86-1-x86_64.pkg.tar.zst:

$ sudo pacman -Ss ca-certificates-mozilla
core/ca-certificates-mozilla 3.85-1 [installed: 3.86-1]
    Mozilla's set of trusted CA certificates
$ find /etc/ca-certificates/ | grep -i trustcor
/etc/ca-certificates/extracted/cadir/TrustCor_RootCert_CA-2.pem
/etc/ca-certificates/extracted/cadir/TrustCor_RootCert_CA-1.pem
/etc/ca-certificates/extracted/cadir/TrustCor_ECA-1.pem

I'm happy to help anyway I can. Is there something else I should look at?

squiddo · 2022-12-12 01:44:31

Looks like the current certdata.txt does not have the CKA_NSS_SERVER_DISTRUST_AFTER set per the bug report.

loqs · 2022-12-12 02:44:45

The certificates still being present is not an issue provided they are not trusted.
Edit:
Not sure how to verify the trust / trust expiry.
Edit2:
Seems to be more nuanced https://utcc.utoronto.ca/~cks/space/blo … ustProblem
If you want to locally block the certificates copy them to /etc/ca-certificates/trust-source/blocklist then run update-ca-trust.

Last edited by loqs (2022-12-12 04:21:27)

squiddo · 2022-12-12 17:55:03

Thanks for that link -- explains what we're seeing. I will follow your advice. Many thanks!

Arch Linux

#1 2022-11-12 19:58:44

Remove TrustCor root certs

#2 2022-11-12 21:15:48

Re: Remove TrustCor root certs

#3 2022-11-13 00:37:15

Re: Remove TrustCor root certs

#4 2022-12-11 01:11:29

Re: Remove TrustCor root certs

#5 2022-12-12 01:28:15

Re: Remove TrustCor root certs

#6 2022-12-12 01:44:31

Re: Remove TrustCor root certs

#7 2022-12-12 02:44:45

Re: Remove TrustCor root certs

#8 2022-12-12 17:55:03

Re: Remove TrustCor root certs

Board footer