Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks for the reminder to recheck my certs. I manually wiped CNNIC (among others) when the news first broke, and with today's Firefox update, I'll check again.


You can't just "wipe" a Root CA on Windows - you have to explicitly untrust it.


Open certmgr.msc and put the certificate into the "Untrusted Certificates" store.


I don't remember deleting it, but also can't find one that seems to be from CNNIC.

Does anyone keep a list of ones they personally like to mark as Untrusted, which doesn't break [too many] sites?


Look for "China Internet Network Information Center EV Certificates Root" and "China Internet Network Information Center (CNNIC)" (thumbprints 4F99AA93FB2BD13726A1994ACE7FF005F2935D1E and ‎8baf4c9b1df02a92f7da128eb91bacf498604b6f)


Windows downloads root certs just in time.


Yes, of course! So now I need to figure out how I can add a thumbprint to a Untrusted Cert store...


And why exactly do they do this?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: