Amidst Rogue SSL Certs, Your Nokia Smartphones Are Safe.

Unless you live under a rock or similar stalagmite, you'd know that DigiNotar was popped and over 500 possibly forged SSL certificates are out there. Why should you care? Well, since you're using a Nokia S40, S60 3rd/5th, Symbian^3, Symbian Anna or Symbian Belle smartphone - you don't actually need to.

After reviewing at least 2 devices from each platform listed above, I've come to the conclusion that the only Nokia smartphones that ship with revoked CA certificates baked in are the N900, N950 and N9. Unfortunately, the N950 and N9 have both Comodo and DigiNotar CA certs included. The N9 is yet to be released - hopefully somebody from Nokia can look at the possibility of having these removed or blacklisting the invalid certificates that were issued, before launching the N9.

 

Symbian, Maemo and MeeGo/Harmattan currently have an extremely easy way of removing top level CA certificates. You delete them manually through the certificate interface or you drop into a root shell and issue 'rm /etc/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem' on the N900 or N950. Manually removing the certs without updating the Trusted Root Store may cause problems; as root issue "cmcli -c common-ca -r 8868bfe08e35c43b386b62f7283b8481c80cd74d" to do it the "proper" way.

On Windows Phone 7? If it's baked in, you have no choice. If it's added afterwards? You have to completely factory reset the device.
 
While regular iOS, Android and Windows Phone 7 users have to wait for updates to be pushed by Apple, Google and Microsoft (unless jailbroken or rooted), those loyal Nokia users can rest assured that their devices are a smidgen more resilient to MiTM attacks (using the compromised certs).