Why do I have untrusted certificates for Google, Yahoo, Mozilla and others?

linux google-chrome security ssl certificate
7,087

This is a good thing. Those certificates were revoked, often because someone applied for/acquired a certificate (private key) for an entity they don't own, which can be used for impersonation. The revoked certificate list on your system basically tells your system not to trust these certificates.

Certificates are often used to identify the website, which relies on the issuer not issuing it to someone else. Those certificates in your screenshot were listed as fraudulent or untrusted because the issuer made a mistake and must tell everyone not to trust the certificate they already signed. Occasionally, the group that created the trusted list (e.g. your OS/browser developers) may manually add certificates to the untrusted list, possibly if the issuer takes too long to do so.

See for more info: Public key certificate and Revocation lists

enter image description here

enter image description here

enter image description here

Share:
7,087

Related videos on Youtube

jackweirdy
Author by

jackweirdy

Updated on September 18, 2022

Comments

  • jackweirdy
    jackweirdy over 1 year

    In the HTTPS/SSL section of chrome://chrome/settings, I see the following: Certificate Manager What does this mean, and is there something wrong?

    I have a basic understanding of SSL/TLS - I'm not claiming to be completely familiar, but I'm fairly confident I know my way around it - but I don't understand why I have certificates installed on my machine specifically for these sites.

    From my understanding, I should have the certificates for Certificate Authorities, and any site I visit and use SSL/TLS should have a certificate signed by one of these trusted CAs for me to trust the site.

    My worry is that if someone has maliciously installed a certificate for these sites on my machine, they could perform a DNS spoofing attack (or a number of other attacks) to hijack my connection to my email account without me knowing, and as they've got the private counterpart to the certificate on my machine, decrypt the communication.

    NB: I'm also aware that CA certificates aren't just within Chromium and are used system wide as part of libssl - they're stored in /etc/ssl/certs.

    What I'd like to know is:

    • Is this correct? - The big red boxes make me think no
    • Is this malicious or benign?
    • What can I do to resolve this problem? (If indeed it is a problem)

    Thanks :)

    • Paul
      Paul over 11 years
      If you check the CA for each cert, you can check in the Authorities tab to see if you have matching CA cert. Addons.mozilla.org should be Verisign, it is weird how it is listed under Google Ltd
    • Canadian Luke
      Canadian Luke over 11 years
      What is your clock set at?
  • jackweirdy
    jackweirdy over 11 years
    Thanks! I've heard of revocation lists and expiry before but I guess I didn't put 2+2 together :)
  • tvdo
    tvdo over 11 years
    @jackweirdy You also appear to be looking at the servers list, which would only list server specific certificates - i.e. those you manually add as (un)trusted, or those on a CRL. The authorities list (in the other tab) probably lists root and intermediate CAs. Most sites would use a certificate from a common CA, rather than requiring users to manually add a certificate to their trusted list. I'm not sure about Chrome, but when a certificate cannot be validated in FF I have the option of temporarily accepting it or permanently adding an 'exception', which means adding it to a trusted list.
  • jackweirdy
    jackweirdy over 11 years
    I understood the concept of CAs; I was just surprised to see entries for specific servers :) Chrome & Chromium warn you that the certificate is invalid/self signed and let you decide what to do :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why do some websites change SSL certificates so frequently?
How do I remove security certificate exceptions from Google Chrome?
Add permanent SSL certificate exception in Chrome (Linux)
"Private key is missing or invalid when importing a certificate" in Google Chrome
StartSSL cert doesn't work with Dovecot/OpenSMTPD
How to always allow insecure connection for a certain url in chrome?
How to know which Certificates to leave in my browser, and which to remove
When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
Error while creating self-signed SSL certificate
Chrome Certificate Selection appears multiple times