What's up?There's been a lot of news lately regarding problems with SSL certificates.
IMHO, once a Root CA messes up and makes even one tiny mistake, they should be banned for life.
Who should you block?
CNNICThis is a Root CA owned by the Chinese government.
This effectively means that the Chinese government can do a man-in-the-middle-attack on any SSL connection that is routed through their network (mostly to a .cn webserver or from a chinese client).
Since the chionese, like the iranians, are known to violate their citizens privacy, you cannot trust them with a Root CA and theirfore they should be blocked.
Shame on Mozilla for adding this certificate to Firefox.
ComodoComodo has issued fraudulent SSL certificates after being hacked. They obviously don't have their security on a sufficiently high level.
DigiNotarDigiNotar's fraudulent SSL certificates have been used by the Iranian government to spy on their citizens. They knew they were hacked 6 months ago, blocked a couple of the hacked certificates but forgot one for *.google.com.
They currently do not know if any more hacked certificates are out there.
How can i block these certificates?
FirefoxGo to Preferences -> Advanced -> Encryption -> View certificates, select the certificates you don't trust and press "Delete or Distrust..." -> ok.
Safari (Mac)Quit Safai and open Utilities -> KeyChain Access
Search for the name of what you want to block, right-click it, click "get Info", open the "Trust" block and select "Never Trust".
Internet ExplorerGo to Tools -> "Internet Options" -> Content -> Certificates -> "Trusted Root Certification Authorities" and remove the items you don't trust.
Feel free to leave a comment if i missed a Root CA or a howto for another browser.