How do users end up with a misconfigured certificate store? · 2010-07-27 17:18 by Wladimir Palant
I am out of ideas so maybe somebody knows more than me here. I noticed that some Adblock Plus users cannot download https://easylist.adblockplus.org/easylist.txt. Data from a different filter list which switched to HTTPS recently indicates that most of these clients cannot establish an HTTPS connection — most likely the certificate is rejected. I did a very rough estimate, we are talking about something like 0.3% of all Adblock Plus users. Which doesn’t sound like a lot but turns into tens of thousands users in absolute numbers.
Now this isn’t a new issue, new is only the fact that I managed to somewhat quantify it. We had users report that they cannot install Adblock Plus due to signature verification issues (StartCom root certificate not cleared for object signing) and also that they get errors caused by subscription downloads (StartCom root certificate not cleared to identify web hosts). While the former is somewhat understandable (StartCom only started signing objects relatively recently, many Linux distributions for example still don’t ship the updated NSS version), the latter isn’t. We are talking about a root certificate that has been included into the Mozilla code three years ago. I guess that it was included in some of the early Firefox 2 minor releases already.
So, why won’t it work for so many people? I had a chance to communicate with some of the people affected. The symptoms are apparently that the StartCom root certificate is present but its trust settings have non-default values. In one case I asked the user to remove
secmod.db cert8.db from his profile (essentially resetting all built-in certificates to the default values) and it worked. I think that manual configuration change can be excluded as the cause: almost all the people I asked are not aware of ever going to the certificates UI. There was one exception where a guy disabled root certificates to satisfy his strange idea of security but that’s definitely not a common case. What else could it be?
Update: Sorry, I mistakenly mentioned secmod.db above — the real file storing trust options is cert8.db, that one was removed.
Commenting is closed for this article.