How to disable the Comodo reseller root certificate in Firefox

Slashdot is a-buzz (and rightly so!) with news that people have been able to obtain an SSL certificate for a domain they don’t own, by applying with one of Comodo’s certificate resellers. It is clear that there has been a major breach of trust, but we’re not sure of the best general solution. There has been a discussion in the mozilla.dev.tech.crypto newsgroup about what steps Mozilla should take for this breach.

In the meantime, I recommend disabling the root certificate used by this certificate authority, to avoid the possibility that other fraudulent certificates are floating around in the wild. Here’s how to disable the relevant CA root in Firefox:

  1. Open the preferences window
  2. Select the “Advanced” tab
  3. Select the “Encryption” sub-tab
  4. Choose “View Certificates”
    Firefox Preferences Window: Advanced -> Encryption -> Certificates

  5. Find and select the “AddTrust AB / AddTrust External CA Root” item
  6. Choose the “Edit’ button
    Root Certificates Dialog

  7. Remove all trust setting check-boxes.
    Edit Certificate Dialog

Note: disabling this root certificate will SSL websites validated by this Comodo reseller to stop working. That’s why you’re doing it, but if it’s your favorite website that stops working, please don’t blame me! If you’re really paranoid, you could also disable all Comodo roots: these include all the certificates with names like “AddTrust”, “Comodo CA Limited”, and “The UserTrust Network”.

Thanks to Eddy Nigg for first providing these instructions.

Atom Feed for Comments 11 Responses to “How to disable the Comodo reseller root certificate in Firefox”

  1. Dan Says:

    Thanks! I’m trying to do this in Chrome too, however there are no AddTrust root certificates in Chrome it seems. So I guess Chrome users are already good. :) Unless AddTrust is covered by the COMODO root cerficiate, which is present in Chrome.

  2. Dan Says:

    Hmm… looks like Chrome just uses Microsoft’s Root Certificates. When you go to manage the certificates it just pops open the Internet Options dialog for it.

  3. Rob Sayre’s Mozilla Blog » Blog Archive » Dismay Says:

    [...] Comodo fiasco is pretty depressing. We have a CA Policy that states we’ll might do something in [...]

  4. Pseudonymous Coward Says:

    Thanks! The paranoid approach appears to have disabled Expedia.com from being trusted for me (I *think* it uses a UserTrust network certificate).

  5. Matt Says:

    Hmm… the bogus certificates (as shown in Eddy Nigg’s blog post) were issued under UTN-UserFirst-Hardware, so wouldn’t it be pointless to disable the AddTrust root?

  6. Gary Johnson Says:

    Thank you. I would rather be safe than sorry. I can always use the phone for a few days. I expected this sort of thing to happen. I also expected that Mozilla folks would take the lead on sorting this out. My vote, shut Comdo down. Its the only way these guys will learn

  7. Security Musings » Blog Archive » MD5 is really seriously broken this time Says:

    [...] Firefox – The instructions are for the Comodo certificate, but it’s the same thing. [...]

  8. hackademix.net ยป Putting SSL in Perspectives Says:

    [...] Ltd. from the Certstar Comodo reseller, no question asked. Of course, as a work-around, you could remove the offending CA root, but you must expect side effects (I discovered this breaks cleverbridge e-commerce back-ends, for [...]

  9. MD5 hash collision gets people worried about PKI | How2Pc Says:

    [...] Ltd. from the Certstar Comodo reseller, no question asked. Of course, as a work-around, you could remove the offending CA root, but you must expect side effects (I discovered this breaks cleverbridge e-commerce back-ends, for [...]

  10. Geronimo Says:

    Debian and Ubuntu users can run these commands to quit trusting certificates from Comodo, UserTrust and AddTrust:

    sudo sed -ri ‘/comodo|utn|addtrust/Is/^!*/!/’ /etc/ca-certificates.conf; sudo update-ca-certificates

  11. MD5 hash collision gets people worried about PKI | ieDevelopment.com Says:

    [...] Ltd. from the Certstar Comodo reseller, no question asked. Of course, as a work-around, you could remove the offending CA root, but you must expect side effects (I discovered this breaks cleverbridge e-commerce back-ends, for [...]

Leave a Reply