Corresponding ticket: #5766.

Tails should ship a (non-default) web browser profile that would not trust the CA cartel, but instead use some alternative, more agile and stronger trust system.

Candidates

  • Monkeysphere: #5763
  • Convergence: #6102
  • TACK
  • EFF's sovereign keys
  • Google's proposal

Criteria

  • beware of the browser fingerprint

Implementation

Iceweasel profile

We should now provide a second iceweasel profile with all root CAs disabled.

One way to do it would be to dpkg-divert libnssckbi.so by default, extract all the CAs from the original libnssckbi.so and stuff them into the "normal X.509 usage" profile's DB.

See also the mozilla/security/nss/lib/ckfw/builtins/README file in the nss package source tree (read online) to learn how to build a libnssckbi.so with a custom list of builtin CAs.

According to a blog post, certutil may be an adequate tool for the task:

    apt install libnss3-tools
    certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem

What does not work is to disable this module for the no-CAs profile using:

modutil -dbdir PROFILE_DIR -disable "NSS Internal PKCS #11 Module"

The Freepto folks are working on wrappers around certutil:

It's also possible to use the cert_override.txt mechanism to add certificate exceptions.

Adding a CA can be done with an add-on. Presumably removing or distrusting one can too.