What Trusted Root Certification Authorities should I trust?

10

2

After two recent Slashdot articles (#1 #2) about questionable Root Certificates installed on machines, I decided to take a closer look at what I have installed on my machines.
(I use current versions of Chrome on Win7, which I understand uses the Windows list of CAs)

What I found really surprised me.

  • Two relatively clean machines had vastly different lists of CAs.
  • Each had a number of CAs that had expired in 1999 and 2004!
  • The identity of many of the CAs is not easy to understand.

I also saw that many certificates expire in 2037, shortly before the UNIX-rollover, presumably to avoid any currently unknown Y2K38-type bugs. But other certs are good for much longer.

I searched around, but, somewhat surprisingly, couldn't find a canonical list of which CAs are generally accepted.

  • If I had a MITM rogue cert on my machine, how would I even know?
  • Does a list of "accepted" certs exist?
  • Am I safe in removing the expired CAs?
  • Can I know if/when I have ever used a CA for HTTPS?

abelenky

Posted 2014-03-10T15:24:52.660

Reputation: 771

1

All excellent questions. You may think about searching some security.stackexchange.com posts

– Rich Homolka – 2014-03-10T18:52:22.340

Answers

2

If I had a MITM rogue cert on my machine, how would I even know?

You often wouldn't. In fact, this is often how SysAdmins snoop the HTTPS sessions of employees: they quietly push out a trusted cert to all desktops, and that trusted cert allows an intermediate proxy to MITM scan content without alerting the end users. (Look up "push out CA for https proxy group policy" - ran out of links with my low reputation!)

Does a list of "accepted" certs exist?

There are a few, generally the default list of certs on stock operating system installations. However, there are ALSO hardcoded lists of CAs in certain browsers (e.g., http://mxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp) to support Extended Validation ("green bars"), but EV lists also vary (e.g., http://www.digicert.com/ssl-support/code-to-enable-green-bar.htm)

Am I safe in removing the expired CAs?

Generally, yes...if all you're doing is surfing web sites. However, you may run into other issues running certain signing applications.

Can I know if/when I have ever used a CA for HTTPS?

Hmmmm...sounds like an app that needs a-writing. ;)

user309526

Posted 2014-03-10T15:24:52.660

Reputation: 41

Asked: 2014-03-10T15:24:52.660

Viewed: 1 219 times

Active: 2014-03-21T15:58:42.383