6 September 2011

The following message is available in plain text with a GPG signature (key ID 9379950E).

You should upgrade to Firefox 3.6.22 or Firefox 6.0.2 in order to be protected against the DigiNotar CA certificates which are assumed to be compromised.

These versions include the certificates that are mentioned in my blog post at:

However, if for any reason, you are not (yet) able to upgrade, here is a workaround to at least get the changes we made to NSS (The newer applications will change some certificate errors from untrusted to revoked (in particular those issued on or after July 1), which cannot be overriden by exceptions. The procedure explained below will give you untrusted treatment for these certificates, only, which should still be helpful.)

You must repeat the following actions for each Firefox/Thunderbird/SeaMonkey profile.

Click each of the following links:

Each time you will be presented with a dialog. You will be asked to apply trust. DO NOT ADD TRUST. Checkboxes should remain NOT CHECKED. Click OK for each of them. This procedure will import the 6 knockout certificates, overriding the older ones which are trusted.

Because you cannot download these with Thunderbird, use the following links to download and save these certificates:

Then go to Thunderbird preferences, advanced, encryption, view certificates, authorities, and use the "import" feature 6 times, once for each of the certificates. Again, make sure you DO NOT check any checkboxes, simply click OK.

Kai Engert