Reply to post: Re: Bye bye CNNIC

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Michael Wojcik Silver badge

Re: Bye bye CNNIC

I'm surprised - there doesn't seem to be a Firefox extension for whitelisting CA certs, like a NoScript for PKI chains. I wonder if there's a technical reason for that (haven't looked at the Firefox add-on interface in a long time), or if it's simply that no one has written one.

It'd be annoying for the first little while, but I'm willing to be that pretty soon I'd have whitelisted all the CA certs I legitimately expect to see until the next update. And when a non-whitelisted root or intermediary comes up, the extension could do quick CRL and OCSP checks.

Maybe a project for my next holiday.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019