We need a mechanism to dynamically revoke CA certificates from the Firefox browser (and other Mozilla software). We might see such a solution in the near future.

However, I would like to offer an immediate solution for those who are eagerly waiting for it. During the last two days I worked on a Firefox Add-On which doesn't require any new infrastructure. As of now it's compatible with Firefox 6 and later.

The idea is to dynamically deliver information to your browser, if CA certificates should no longer be trusted, and it can be effective immediately, without having to wait for a software update.

CA-Knockout is an Add-On which I have signed with my code signing certificate.

The Add-On will attempt to download the most recent information, which I currently host on my private server. The data that is download is also signed with my code signing certificate. The Add-On will ignore any data lacking a valid signature.

Another feature is manual import. If user's connections to my server are blocked (e.g. by a smart Man-In-The-Middle), this feature could be used to circumvent the blockade. Users might share the revocation data via other channels, like email, or direct file transfer. With the Add-On installed, open the Tools menu, select CA-Knockout / Import, and in the dialog that shows up, paste the data you have received. As of today, assuming there are no bugs in the Add-On, I'm the only one who is able to create a signed blob that will be accepted by the Add-On.

If you would like to try it, get the Add-On from https://kuix.de/ca-knockout/ – when installing, in the dialog that asks you to confirm the import, ensure it shows my name (Kai Engert). This tells you that the Add-On has been digitally signed by me. (Please update as soon as possible, initial version 0.2.1 contained a bug.)

In this initial version, the Add-On attempts to download just once per session, shortly after starting Firefox (each time you start Firefox). However, you should get notifications if it fails, and it should offer you to retry the download.

The initial data block that I have prepared is at http://kuix.de/ca-knockout/ca-knockout-latest.txt

It contains the same set of knockout certificates that were shipped with NSSCKBI 1.87 and is contained in Firefox 6.0.2

(Only for testing purposes, get Firefox 6, use a new profile, disable Firefox update checking, install the addon and allow it to import the knockout certs. From this time you should be similarly protected when visiting SSL/https sites running DigiNotar certificates. Remember to reenable Firefox update checking after testing.)

There is at least one usability disadvantage of the current implementation. Because the Add-On is restricted to use the features and APIs that are currently available in the Mozilla platform, in order to install the CA knockout certificates, the Add-On uses the same API that is used to install new CA certificates. This means, you will get a dialog asking you „do you want to trust this CA“, showing several checkboxes where you control which trust you would like to add. The default mode is all checkboxes off – which is good, which is what we want. In order to benefit from the Add-On, you must manually confirm with OK each of the knockout certificates that the Add-On wants to download.

Note that it will try to protect confused users. If a user checks any of the checkboxes, the Add-On will automatically remove that trust after import.

I would like to see many users try this. Who knows, maybe we'll see CA disasters in the near future, before software vendors can implement a better mechanism into their core products? If we do, I'll try to give you updated revocation blobs as soon as I can.

Please try it out and let me know what you think.

Disclaimer: I did this as a private project. Provided as is. Provided under MPL license. No guarantees. Add-On might contain evil bugs. If you can, please look at the code and let me know what you think and report bugs. Also, if you decide to use it, please come back and check for updates – there is no automatic update mechanism. I might host it on the official Add-Ons site later, should feedback be positive.

Good luck,
Kai