General :
K-Meleon Web Browser Forum
I don't understand some things about a root or certificates list in a browser. I am using an older version of K-Meleon ... KM v1.8.24 (adodupan). I was wondering if I should be updating the certificates list?
I came across this information today with a list with today's date.
Mozilla Included CA Certificate List
https://wiki.mozilla.org/CA:IncludedCAs
Mozilla products ship with a default list of Certification Authority (CA) certificates.
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
CAs are parties who are trusted to attest to the identity of websites. Mozilla has a rigorous process for CAs to request inclusion of their certificates, the details of which are described in the following:
Mozilla Included CA Certificate List
As of October 23, 2015
... and there is the certificates list on that page.
So can a newer list be put into an older version of KM ... how would a person do that? ... or is there no need to do so, but I'm sure the older certificates list has expired certificates and maybe some harmful certificates. I don't know if this is something to be concerned about.
...
Edited 1 time(s). Last edit at 10/23/2015 09:35AM by callahan.
All is about trust. Who trusts who. Do you trust the CAs? Do you trust Mozilla selecting the CAs for you?
You should, but there isn't actual harm by having outdated CAs*. When K-meleon needs to verify the authenticity of a website certificate, it searches in the local certificate database and if it is not present, it will show you the very common error where it is presented an option to add an exception. Alternatively to an exception, you could add the CA, by going to the CA certificate repository website and import to the certificate database.
*When I said there is no actual harm, even if it is true, we have to remember that sometimes have had been attacks to the CAs and the private key of the certificate has been stolen. When this happens, someone could create certificates based on a CA certificate and that certificate will become not trusted, for example, by Mozilla.
In this case, having an old CA certificate is not a good idea, because you will be trusting harmful sites.
If you don't want to use the latest K-meleon versions, a way is to download the latest Firefox version, open it with 7-zip or similar, and extract and overwrite (previous backup of the original) the file nssckbi.dll, in the root folder of K-meleon.
I did now with the file from Firefox 41.0.2 and, for example, some old or untrusted CAs have disappeared.
EDIT: Looks like in the process a lot of root are missing. Maybe is not a good idea this way. Lots of errors in websites.
Edited 2 time(s). Last edit at 10/23/2015 09:58PM by JohnHell.
Thanks for the certificates information. I will be using a newer version of K-Meleon, been a little lazy on that ... I actually may download a version later today. I like the KM 1.8.24 for now since I have all my settings in place.
I will try the FF download idea that you mentioned ... I would still like to have v1.8.24 as a backup browser.
Again thanks and also for the Flash updates.
Additional ... yes you are correct about the website errors. I took a copy of the nssckbi.dll out of the latest Pale Moon update and put it into K-Meleon and some web pages work and many do not ... yet they all work just fine when I use Pale Moon v25.7.3 for Atom and WinXP.
I don't understand much about certificates.
OK ... I downloaded K-Meleon 75.1 and copied the nssckbi.dll from there and placed it in KM 1.8.24 and everything seems to work OK. So I guess I should have a newer nssckbi.dll in v1.8.24. I will work with the newer KM 75.1 later today.
...
Edited 2 time(s). Last edit at 10/24/2015 11:16AM by callahan.
As long as we are on the subject of certificates, I just saw this information from ZDNET.
http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f
It will be interesting to watch Asia (especially China and India). It could become a trendsetter. Will people there move to Win10 or toward Linux.
Holy cow ... now I got something else to worry about !!!
So I have just over two months to run out and buy a brand new computer ... or I can just sit tight and see what happens.
Should I be stocking up on food also ?
... anyway, thank JamesD for the heads up, it was news to me ... I'm sticking with my XP computers and hope I can still get on the internet in January.
callahan
XP supports up to SHA-512 (part of SHA-2), if I'm not wrong. Maybe more.
But have in mind that Gecko browsers are system independent, so K-meleon could be supporting other hash and/or cipher algorithms without problem.
In fact, I'm a living example of this issue under Windows 2000. I have higher security certificates installed in K-meleon than the supported by Windows 2000 (and Internet Explorer) itself.
Edited 1 time(s). Last edit at 10/24/2015 06:45PM by JohnHell.
Just tried to use the dll from KM75.1 in KM1.6, but no luck: Errors, errors, errors,... And adding exceptions doesn't help
Luckily this site https://www.digicert.com/sha-2-compatibility.htm claims that Mozilla supports SHA2 since FF1.5!! KM1.6 has the engine from FF1.9.xx, so it should keep working, if it's system independant. I hope...
The bigger prob is probably that KM1.6 only supports SSL3 and TLS1.0. Since 1-2 years I have increasing glitches which send twitter, facebook etc. in frantic loading loops until they give up after a short while, and then https-pages can only be loaded again after a restart. But no idea what causes that exactly and it also seems to happen rather random.
(sig) New unofficial K-Meleon 76.4 (KMG76.4) available, in own subforum.
Based on Goanna engine, called 'test' builds forever but more stable as 75.1 acc. forum members. It's 1-2 generations ahead of predecessor KM76RC-2016
K-Meleon FAQ (link missing in forum sidebar)
Tips&Tricks - Learning new stuff every day
New to K-Meleon? What do you like? What not?
I had the older JamesD K-Meleon v1.6 on my computer but did not try the newer dll from KM 75.1 with it. The newer dll from KM 75.1 does work OK in KM 1.8.24. I used it all day and there were no problems with any web site.
I have the newer version installed (KM 75.1) and it runs good so far ... still have settings to fix.
It's say in the article link that Win XP SP3 should be OK with SHA-2 ... it sounds good from what I understand, which is very little.
Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.
...
1.) You can use the profile from the 1.6 AFAIK. Most should work or migrate automatically. You only need some additional files/folders like skin... Passwords must be imported in 74 first and the resulting pwd file (sqlite?) can be used by 75. Described in the forum somewhere. 75 does not support the import any more.
2.) I do not know about SHA-2 on cellular phones etc.
From what I understand the XP SP3 requirement came for the Mozilla GRE (used by K-Meleon.org) because of Microsoft's compilers that do not support older Windows 32 systems.
If You need certain modern features (data size checking...) in Your browser engine You need a compiler that can build it into Your software. And when the compiler vendor has its product's runtimes check whether certain (often unneeded) features are present on the target OS/system - or whether the system has a certain minimum OS version, then the resulting software will not work. Error code typically XY import not found or system too old.
I transfer this opinion from what I know about Kernel Extenders for Win 98 and Win 2000 and about compiling Mozilla sources myself.
I do not know for certain but rather doubt that the older Windows 32 systems have anything to do with using SHA-2. IMHO it is the modern browser that does it alone.
General discussion about K-Meleon
K-Meleon Certificates List
Posted by:
callahan
Date: October 23, 2015 09:34AM
I don't understand some things about a root or certificates list in a browser. I am using an older version of K-Meleon ... KM v1.8.24 (adodupan). I was wondering if I should be updating the certificates list?
I came across this information today with a list with today's date.
Mozilla Included CA Certificate List
https://wiki.mozilla.org/CA:IncludedCAs
Mozilla products ship with a default list of Certification Authority (CA) certificates.
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
CAs are parties who are trusted to attest to the identity of websites. Mozilla has a rigorous process for CAs to request inclusion of their certificates, the details of which are described in the following:
Mozilla Included CA Certificate List
As of October 23, 2015
... and there is the certificates list on that page.
So can a newer list be put into an older version of KM ... how would a person do that? ... or is there no need to do so, but I'm sure the older certificates list has expired certificates and maybe some harmful certificates. I don't know if this is something to be concerned about.
...
Edited 1 time(s). Last edit at 10/23/2015 09:35AM by callahan.
Re: K-Meleon Certificates List
Posted by:
JohnHell
Date: October 23, 2015 09:53PM
All is about trust. Who trusts who. Do you trust the CAs? Do you trust Mozilla selecting the CAs for you?
Quote
callahan
I don't understand some things about a root or certificates list in a browser. I am using an older version of K-Meleon ... KM v1.8.24 (adodupan). I was wondering if I should be updating the certificates list?
You should, but there isn't actual harm by having outdated CAs*. When K-meleon needs to verify the authenticity of a website certificate, it searches in the local certificate database and if it is not present, it will show you the very common error where it is presented an option to add an exception. Alternatively to an exception, you could add the CA, by going to the CA certificate repository website and import to the certificate database.
*When I said there is no actual harm, even if it is true, we have to remember that sometimes have had been attacks to the CAs and the private key of the certificate has been stolen. When this happens, someone could create certificates based on a CA certificate and that certificate will become not trusted, for example, by Mozilla.
In this case, having an old CA certificate is not a good idea, because you will be trusting harmful sites.
Quote
callahan
So can a newer list be put into an older version of KM ... how would a person do that? ... or is there no need to do so, but I'm sure the older certificates list has expired certificates and maybe some harmful certificates. I don't know if this is something to be concerned about.
...
If you don't want to use the latest K-meleon versions, a way is to download the latest Firefox version, open it with 7-zip or similar, and extract and overwrite (previous backup of the original) the file nssckbi.dll, in the root folder of K-meleon.
I did now with the file from Firefox 41.0.2 and, for example, some old or untrusted CAs have disappeared.
EDIT: Looks like in the process a lot of root are missing. Maybe is not a good idea this way. Lots of errors in websites.
Edited 2 time(s). Last edit at 10/23/2015 09:58PM by JohnHell.
Re: K-Meleon Certificates List
Posted by:
callahan
Date: October 24, 2015 10:09AM
Thanks for the certificates information. I will be using a newer version of K-Meleon, been a little lazy on that ... I actually may download a version later today. I like the KM 1.8.24 for now since I have all my settings in place.
I will try the FF download idea that you mentioned ... I would still like to have v1.8.24 as a backup browser.
Again thanks and also for the Flash updates.
Additional ... yes you are correct about the website errors. I took a copy of the nssckbi.dll out of the latest Pale Moon update and put it into K-Meleon and some web pages work and many do not ... yet they all work just fine when I use Pale Moon v25.7.3 for Atom and WinXP.
I don't understand much about certificates.
OK ... I downloaded K-Meleon 75.1 and copied the nssckbi.dll from there and placed it in KM 1.8.24 and everything seems to work OK. So I guess I should have a newer nssckbi.dll in v1.8.24. I will work with the newer KM 75.1 later today.
...
Edited 2 time(s). Last edit at 10/24/2015 11:16AM by callahan.
Re: K-Meleon Certificates List
Posted by:
JamesD
Date: October 24, 2015 11:36AM
As long as we are on the subject of certificates, I just saw this information from ZDNET.
http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f
Re: K-Meleon Certificates List
Posted by:
Yogi
Date: October 24, 2015 11:57AM
It will be interesting to watch Asia (especially China and India). It could become a trendsetter. Will people there move to Win10 or toward Linux.
Re: K-Meleon Certificates List
Posted by:
callahan
Date: October 24, 2015 01:15PM
Holy cow ... now I got something else to worry about !!!
So I have just over two months to run out and buy a brand new computer ... or I can just sit tight and see what happens.
Should I be stocking up on food also ?
... anyway, thank JamesD for the heads up, it was news to me ... I'm sticking with my XP computers and hope I can still get on the internet in January.
callahan
Re: K-Meleon Certificates List
Posted by:
JohnHell
Date: October 24, 2015 06:45PM
XP supports up to SHA-512 (part of SHA-2), if I'm not wrong. Maybe more.
But have in mind that Gecko browsers are system independent, so K-meleon could be supporting other hash and/or cipher algorithms without problem.
In fact, I'm a living example of this issue under Windows 2000. I have higher security certificates installed in K-meleon than the supported by Windows 2000 (and Internet Explorer) itself.
Edited 1 time(s). Last edit at 10/24/2015 06:45PM by JohnHell.
Re: K-Meleon Certificates List
Posted by:
siria
Date: October 24, 2015 08:32PM
Just tried to use the dll from KM75.1 in KM1.6, but no luck: Errors, errors, errors,... And adding exceptions doesn't help
Luckily this site https://www.digicert.com/sha-2-compatibility.htm claims that Mozilla supports SHA2 since FF1.5!! KM1.6 has the engine from FF1.9.xx, so it should keep working, if it's system independant. I hope...
The bigger prob is probably that KM1.6 only supports SSL3 and TLS1.0. Since 1-2 years I have increasing glitches which send twitter, facebook etc. in frantic loading loops until they give up after a short while, and then https-pages can only be loaded again after a restart. But no idea what causes that exactly and it also seems to happen rather random.
(sig) New unofficial K-Meleon 76.4 (KMG76.4) available, in own subforum.
Based on Goanna engine, called 'test' builds forever but more stable as 75.1 acc. forum members. It's 1-2 generations ahead of predecessor KM76RC-2016
K-Meleon FAQ (link missing in forum sidebar)
Tips&Tricks - Learning new stuff every day
New to K-Meleon? What do you like? What not?
Re: K-Meleon Certificates List
Posted by:
callahan
Date: October 24, 2015 11:07PM
I had the older JamesD K-Meleon v1.6 on my computer but did not try the newer dll from KM 75.1 with it. The newer dll from KM 75.1 does work OK in KM 1.8.24. I used it all day and there were no problems with any web site.
I have the newer version installed (KM 75.1) and it runs good so far ... still have settings to fix.
It's say in the article link that Win XP SP3 should be OK with SHA-2 ... it sounds good from what I understand, which is very little.
Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.
...
Re: K-Meleon Certificates List
Posted by:
guenter
Date: October 25, 2015 08:31AM
Quote
callahan
...
I have the newer version installed (KM 75.1) and it runs good so far ... still have settings to fix.
It's say in the article link that Win XP SP3 should be OK with SHA-2 ... it sounds good from what I understand, which is very little.
Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.
...
1.) You can use the profile from the 1.6 AFAIK. Most should work or migrate automatically. You only need some additional files/folders like skin... Passwords must be imported in 74 first and the resulting pwd file (sqlite?) can be used by 75. Described in the forum somewhere. 75 does not support the import any more.
2.) I do not know about SHA-2 on cellular phones etc.
From what I understand the XP SP3 requirement came for the Mozilla GRE (used by K-Meleon.org) because of Microsoft's compilers that do not support older Windows 32 systems.
If You need certain modern features (data size checking...) in Your browser engine You need a compiler that can build it into Your software. And when the compiler vendor has its product's runtimes check whether certain (often unneeded) features are present on the target OS/system - or whether the system has a certain minimum OS version, then the resulting software will not work. Error code typically XY import not found or system too old.
I transfer this opinion from what I know about Kernel Extenders for Win 98 and Win 2000 and about compiling Mozilla sources myself.
I do not know for certain but rather doubt that the older Windows 32 systems have anything to do with using SHA-2. IMHO it is the modern browser that does it alone.
English