It is not easy to remove MD5 certs from Firefox v3
For the past few weeks after the disclosure of SSL certs signed with MD5 hash is no longer secure, I have been trying to remove this certs from some browsers manually and the result is pretty different coming from different browsers.
The Firefox built-in certs are found to be almost impossible to remove, if it is possible in the first place. Until today I have not come across any how-to guide in removing them.
And there is a fear, perhaps unfounded, that removing this certs will break certain web application. So far, I have not encounter any broken application on all three browsers I am experimenting this with, that is IE7, FF3 and Chrome.
If removing this certs are so damn difficult for someone with technical background, can you imagine leaving this to a lay-man? It’s close to impossible for them to know where to begin in the first place.
I would love to see one day I can subscribe to a service that provide a “hardened” browser that is totally (or almost) immune from all this hassle of security issues. Where one can surf the Net safely with no fear of XSS attack, SSL impersonation, malware download etc.
The financial industry will surely benefit from this since it will encourage more people to do on-line transaction securely and safely. This will be the day I will look forward to.
