Re: [tlug] firefox SSL certs

["Stephen J. Turnbull" <stephen@example.com>]

Darren Cook writes:

 > Now I'm wondering:
 >  1. Why two symbol links got created, and one got moved, when the actual
 > certificates already existed. Is that normal behaviour after a minor
 > firefox update?

That sounds like something that is being done by some sort of
installer that is failing to clean up after itself.

 >  2. Why none of these files seem to belong to any package (at least
 > according to apt-file). Neither the *.o files or the *.pem files.

Because package management systems are merely the best alternative
among an array of unsatisfactory solutions.  Cf. "trust" and
"democracy."  (PMSes do have the advantage that unlike that last one,
they've actually been tried in practice on a large scale. :-)

Gentoo and MacPorts both check for installation outside of DESTDIR,
and Gentoo will actually error ("sandbox error") if that happens.
(MacPorts just warns.)  These systems typically provide the certs in a
separate package (at least MacPorts does for curl's which are just a
convenience interface to Mozilla IIUC).  Maybe dpkg-based systems
don't do those things yet?

 > My third question is what would happen if I delete these new
 > symlinks?

I don't think anything will care if you delete the symlinks; both the
meaningless names and the .0 extension seem to indicate that they're
$TMP detritus of some sort.

 > What would happen if I deleted the *.pem files they point to? Would
 > it just mean an extra behind-the-scenes certificate download next
 > time I visit a site that needs it? (In other words is
 > /etc/ssl/certs just a cache directory?) Or would valid sites start
 > complaining when I browse them?

AFAIK those certs are all root authorities.  Those will not be
downloaded just because you browse a page, because those are the
ultimate control over who you trust without following the chain
yourself, and who you don't.  Of course what this means is that
ultimately you trust Mozilla ....

P2P trust networks are not the solution.  The <std_disclaimer> of
lawyers on the 'net applies here ("you are not my client and this is
not security advice").  Anybody who doesn't give you a warning of that
form, including family members, is not somebody you should trust.
(Family members of course go by different rules than a commercial
transaction, but there still needs to be a warning given.)