In a sub-continuation of Laura’s earlier article describing the now broken state of MD5 hashes, I’d like to provide a more concise one-stop-shop on how to distrust a CA in the event that this threat becomes more of an attacking reality.

Firefox / Thunderbird

1. In the Menu Bar select “Tools”
2. Select “Options”
3. Select “Advanced” tab
4. Click “View Certificates”
5. Select the “Authorities” tab
6. Select the CA that you would like to distrust “Equifax Secure Global eBusiness CA-1″ in this scenario.
7. Select “Edit” button
8. Uncheck all three areas of trust
9. Select “OK” and exit out, or repeat for any other CAs you would like to distrust

Firefox Certificate List

Firefox Certificate Trust Options

Internet Explorer 7

1. Select “Tools” in the Menu Bar*
2. Select “Internet Options”
3. Select the “Content” tab
4. Select the “Certificates” button
5. Select the “Trusted Root Certificate Authorities” tab
6. Select the CA that you would like to distrust “Equifax Secure Global eBusiness CA-1″ in this scenario.
7. Select the “Advanced” button
8. Uncheck all trust options
9. Select “OK” and exit out, or repeat for any other CAs you would like to distrust

IE7 Certificate List

IE7 Certificate Trust Options

*To make IE7’s Menu Bar visible you need to right click in an empty area in any of the other “bar” areas, this is best done to the right of the current page tab. Then select “Menu Bar” from the drop down.

Making IE7 Menu Bar visible

OS X – Keychain

1. Go to Applications
2. Select Utilities
3. Select Keychain Access
4. Double click the CA in X509Anchors (Tiger) or System Roots (Leopard)
5. In the “Trusts” section, change the trust to “Never Trust”

OS X Keychain Trust Options

For a better guide on accessing OS X items please refer to Laura’s original posting as I don’t have updated screenshots (She’s got the only Mac in-house).

Now you should be able to keep tabs on what trusts are being granted to each CA. In general, you should monitor what trusts you are allowing on your CAs anyway, but with the recent events of the MD5 collapse, it only helps to be a little more proactive.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, December 30th, 2008 at 2:18 pm by Tim Donaworth and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.