1927293 - Remove trust from all CAs in one fell swoop

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[A]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0

Steps to reproduce:

• Open Firefox
• Go to Settings
• Hunt down the certificate settings
• Click on the badly named View certificates (I don't want to ‘view’ them, I want to manage them)
• Wince at the impossibly long list of Certificate Authorities (CAs) that I, apparently, ‘trust’
• Try to remove trust from them all

Actual results:

You realise that Firefox wants you to do that one certificate at a time, going through a multiple clicks process that is guaranteed to induce RSI (Repetitive Stress Injury).

Expected results:

I must be able to disable the whole sorry list in one go, as I will never come across 99% of those CAs in a legitimate scenario, yet any of the bloody shits could get compromised (hello DigiNotar et al.!) and then I would be:

a) screwed;
b) none the wiser (until too late).

It is idiotic to pretend that one cares about security and ship literally hundreds of CAs, any of which can sign a certificate for literally any site in the universe.

Not that I expect anyone to give a toss, but reporting it here for the record.

Comment 1

[A]

Also tried using the NSS certutil command line tool (the Mozilla one, I'm on Linux), only to find out that there is no way to even list all of the installed CAs. (certutil -d . -L only lists some of them, not even sure what the algorithm is).

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

This kind of feature would not be useful to the vast majority of users, so we're not going to support it. If you really want to, you can compile your own version of the built-in roots module with the default trust removed for each root: https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/builtins/

Comment 3

[:glob ✱]

This is a reminder that Bugzilla is our professional working environment as much as it is our issue tracker, and that attacks directed at our colleagues are not acceptable uses of Bugzilla.