Hacker News new | past | comments | ask | show | jobs | submit login

That wouldn't have helped you in this case -- WoSign doesn't even show up in the OS X or Windows root keystores. Its certificates are (apparently) signed by StartCom.

I just blacklisted StartCom's root certs. IMO for signing off on WoSign they're just as guilty, if not worse, than WoSign itself. Since they're the ones with the root cert in the OS, the buck stops there.




I attempted to remove all StartCom certs from the OS X keychain, apparently you can't do it even as root. You have to boot into the recovery partition first.

http://superuser.com/questions/1070664/security-seckeychaini...

Edit: Don't delete them, instead right click each certificate, select "Get Info", Expand the "Trust" panel, and set it to "Never Trust"


You don't have to remove them, you can just set the 'Trust' setting to 'Never Trust'.


I can't remember whether it was MacOS or Windows, but at least one OS will sometimes re-install a 'standard' CA certificate if you delete it. Setting 'never trust' is the most reliable way to kick out the CA as it ensures that it stays out.


Thanks! I assumed that was an option I just didn't see it at first.


Yup, you're absolutely right. I've also blacklisted StartCom after reading through the comments on this thread.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: