# [Solved] DigiNotar still trusted by chromium-13.0.782.220

## jchau

I upgraded to www-client/chromium-13.0.782.220 back in September 5th, 2011.  According to bug 381713, DigiNotar certificates should be blacklisted in =www-client/chromium-13.0.782.220.  However, checking Chromium's Certificate Manager today, I noticed that "DigiNotar Root CA" is still listed in the "Authorities" tab.  Furthermore, it was trusted with the following trust settings checked:

Trust this certificate for identifying websites.Trust this certificate for identifying software makers.

Worse, there doesn't appear to be any way (that I know of) of deleting this certificate from the list of authorities; the "Delete..." button is grayed out.  

For now, I unchecked the trust settings, but I still have questions:

Does www-client/chromium-13.0.782.220 actually blacklist DigiNotar's certificates or have I been vulnerable?

If www-client/chromium-13.0.782.220 did blacklist DigiNotar's certificates, what mechanism was used to do so and why did DigiNotar's certificate still show up in the list of Authorities (with the above trust settings)?

If www-client/chromium-13.0.782.220 did not blacklist DigiNotar's certificates, is unchecking those trust settings sufficient to protect myself?  If not, what other steps should I take to protect myself?

Am I the only one that's still seeing DigiNotar's certificate after the update or is this expected/are there other people seeing the certificate?

Where does Chromium store its database of certificates?  Are they part of the Chromium package or does Chromium use the system's?  (I know I add my own certificates to "$HOME/.pki/nssdb", but I didn't see DigiNotar's certificate there.  I don't see any DigiNotar certificates in /etc/ssl/certs/ either.  

Thanks.  (I was thinking of filing another bug report, but I wanted to make sure I'm not overreacting first.)Last edited by jchau on Sat Sep 17, 2011 4:35 am; edited 1 time in total

----------

## floppymaster

I actually had the same questions when I filed the security bug for this. The following link has a list of sites that use Diginotar certs you can test.

http://www.io101.org/blog/howto/check-untrust-disable-diginotar-https-ssl-root-ca-certificate-mac-os/

Although Diginotar still appears in Chromium's cert database, it appears to have been blacklisted through some means I have not been able to determine. If you manage to figure it out, please let me know!

----------

## floppymaster

Code search to the rescue! Basically, Chromium has a special method called  X509Certificate::IsPublicKeyBlacklisted which checks to see if a certificate was signed by Diginotar.

http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/net/base/x509_certificate.cc&type=cs&l=959

----------

## jchau

Thank you.

----------

