-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
126 lines (111 loc) · 5.73 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<title>How to distrust CloudFlare Universal SSL by selecadm</title>
<link rel="stylesheet" href="/stylesheets/styles.css">
<link rel="stylesheet" href="/stylesheets/github-light.css">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<!--[if lt IE 9]>
<script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
<div class="wrapper">
<header>
<h1>How to distrust CloudFlare Universal SSL</h1>
<p>by Adm Selec</p>
<p class="view"><a href="https://github.com/selecadm">View My GitHub Profile</a></p>
</header>
<section>
<p><b>17 October 2015</b></p>
<p>Certificates for CloudFlare Universal SSL are issued from the following intermediates:</p>
<p>COMODO ECC Domain Validation Secure Server CA 2<br>
COMODO RSA Domain Validation Secure Server CA 2<br>
COMODO Domain Validation Secure Server CA 2<br>
GlobalSign Organization Validation CA - G2</p>
<p>The first three are believed to be used for CloudFlare Universal SSL exclusively, hence it is safe to distrust them.</p>
<p>COMODO ECC Domain Validation Secure Server CA 2<br>
<a href="/static/certificates/cloudflare/ComodoECCDomainValidationSecureServerCA2.crt">PEM Base64</a></p>
<p>COMODO RSA Domain Validation Secure Server CA 2<br>
<a href="/static/certificates/cloudflare/ComodoRSADomainValidationSecureServerCA2.crt">PEM Base64</a></p>
<p>COMODO Domain Validation Secure Server CA 2<br>
<a href="/static/certificates/cloudflare/ComodoDomainValidationSecureServerCA2.crt">PEM Base64</a></p>
<p>How to distrust intermediates on Windows, affecting Internet Explorer and Chromium-based browsers:<br>
1. Download and open the certificate<br>
2. "Install Certificate…"<br>
3. Next, "Place all certificates in the following store" -> Intermediate Certification Authorities, OK, Next, OK<br>
4. Run certmgr.msc<br>
5. Go to "Intermediate Certification Authorities"<br>
6. Locate the certificate, right-click, Properties<br>
7. "Disable all purposes for this certificate", OK<br></p>
<p>Is it possible to do the same with Firefox?<br><br>
Below are the bugs regarding (in)ability to distrust intermediate:<br>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=585352">Bug 585352 - Certificate Manager misleads users into thinking that they can distrust CAs and/or intermediates</a><br>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=642503">Bug 642503 - Generic blacklisting mechanism for bogus certs (NSS trust module)</a><br>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=646205">Bug 646205 - Unable to mark intermediate CA certificate as untrusted</a></p>
<p>How to ensure the intermediates being distrusted?<br><br>
Using Internet Explorer or a Chromium-based browser, try to open sites below (as of 17 October 2015):<br>
<a href="https://certificate.revocationcheck.com/">https://certificate.revocationcheck.com/</a> (for testing <i>COMODO ECC Domain Validation Secure Server CA 2</i>)<br>
<a href="https://qwintry.com/">https://qwintry.com/</a> (for testing <i>COMODO Domain Validation Secure Server CA 2</i>)</p>
<p>Will this affect my daily internet routine?<br><br>
From my experience, yes. As of 31 October 2015, the sites I have encountered:<br>
https://certlogik.com/<br>
https://ssldecoder.org/<br>
https://unmitigatedrisk.com/<br>
https://habracdn.net/ (switched to <i>GlobalSign Organization Validation CA - G2</i>)<br>
https://certcentrehq.com/<br>
https://jekyllrb.com/<br>
https://certificate.revocationcheck.com/<br>
https://www.odoo.com/<br>
https://odoocdn.com/<br>
https://samsclass.info/<br>
https://slack.certly.io/<br>
https://qwintry.com/<br>
https://blog.certly.io/<br>
https://www.404techsupport.com/<br>
https://sheharyar.me/<br>
https://blog.keanulee.com/<br>
https://www.benburwell.com/<br>
https://www.opensecrets.org/<br>
https://hedgehogs.lv/<br>
https://ondrek.com/<br>
https://rck.ms/<br>
https://cantheyseemydick.com/<br>
https://img.4plebs.org/<br>
https://fud.io/<br>
https://cdn.englishforums.com/<br>
https://blog.squarelemon.com/<br>
https://2ip.ru/ (dropped CloudFlare)<br>
https://www.wireshark.org/<br>
https://www.expertbail.com/<br>
https://kyliehunt.com/<br>
https://avatars.discourse.org/<br>
https://www.reasoncoresecurity.com/<br>
https://nathany.com/<br>
https://istlsfastyet.com/<br>
https://ian.sh/<br>
https://whoisology.com/<br>
https://yeeti.com/<br>
https://code.highcharts.com/<br>
https://www.highcharts.com/<br>
https://remaintenance.io/<br>
https://regmedia.co.uk/<br>
https://en.bitcoin.it/<br>
https://monitter.com/<br>
https://paul.reviews/<br>
https://assets.econsultancy.com/<br>
https://hsto.org/<br>
https://surfeasy.com/<br>
https://www.howtoforge.com/<br>
https://techhelplist.com/</p>
<p>This article is going to be updated.</p>
</section>
<footer>
<p><small>Hosted on GitHub Pages — Theme by <a href="https://github.com/orderedlist">orderedlist</a></small></p>
</footer>
</div>
<script src="/javascripts/scale.fix.js"></script>
</body>
</html>