On Sat, 2010-05-15 at 02:55 +0200, Christoph Anton Mitterer wrote: > - Many packages ship with configuration that is either really insecure > or that could be at least hardened a lot. Another nice (IMHO) example are the X.509 that are shipped per default in several places (Mozilla NSS, ca-certificates). Per default all of them are enabled... right? Mozilla recently proved that they are not really able to manage they cert store.... giving the fact that they even didn't know where a root-cert came from an how has control over it. And personally, I really do _not_ trust some of the CAs which are included/enabled per default. I guess, some Chinese blogger, should for example definitely disable the CNNIC root-CA when the log in to their Google/etc Mail account... Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature