In a sub-continuation of Laura’s earlier article describing the now broken state of MD5 hashes, I’d like to provide a more concise one-stop-shop on how to distrust a CA in the event that this threat becomes more of an attacking reality.

Firefox / Thunderbird

  1. In the Menu Bar select “Tools”
  2. Select “Options”
  3. Select “Advanced” tab
  4. Click “View Certificates”
  5. Select the “Authorities” tab
  6. Select the CA that you would like to distrust “Equifax Secure Global eBusiness CA-1” in this scenario.
  7. Select “Edit” button
  8. Uncheck all three areas of trust
  9. Select “OK” and exit out, or repeat for any other CAs you would like to distrust
Firefox Certificate List
Firefox Certificate List
Firefox Certificate Trust Options
Firefox Certificate Trust Options

Internet Explorer 7

  1. Select “Tools” in the Menu Bar*
  2. Select “Internet Options”
  3. Select the “Content” tab
  4. Select the “Certificates” button
  5. Select the “Trusted Root Certificate Authorities” tab
  6. Select the CA that you would like to distrust “Equifax Secure Global eBusiness CA-1” in this scenario.
  7. Select the “Advanced” button
  8. Uncheck all trust options
  9. Select “OK” and exit out, or repeat for any other CAs you would like to distrust
IE7 Certificate List
IE7 Certificate List
IE7 Certificate Trust Options
IE7 Certificate Trust Options

*To make IE7’s Menu Bar visible you need to right click in an empty area in any of the other “bar” areas, this is best done to the right of the current page tab. Then select “Menu Bar” from the drop down.

Making IE7 Menu Bar visible
Making IE7 Menu Bar visible

OS X – Keychain

  1. Go to Applications
  2. Select Utilities
  3. Select Keychain Access
  4. Double click the CA in X509Anchors (Tiger) or System Roots (Leopard)
  5. In the “Trusts” section, change the trust to “Never Trust”
OS X Keychain Trust Options
OS X Keychain Trust Options

For a better guide on accessing OS X items please refer to Laura’s original posting as I don’t have updated screenshots (She’s got the only Mac in-house).

Now you should be able to keep tabs on what trusts are being granted to each CA. In general, you should monitor what trusts you are allowing on your CAs anyway, but with the recent events of the MD5 collapse, it only helps to be a little more proactive.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!