30 days with (almost) no trusted CAs
I’ve decided to embark on a small project to determine what is the smallest set of trusted root certificates I need in my day-to-day life. I have disabled all trusted CAs in both IE and Firefox and will enable the needed root certificates as I go. So far I’ve spent a week of this and have about 10 certificates, 3 of which were needed because I needed to pay my bills : ).
I will run in this mode for 30 days, at the end of which I will report how many root certificates I had to enable to allow me to go through life. In the meantime, I am tweeting every time I need to enable a CA along with the site that needed it.
It is a fun ride so far, so let’s see where it is going to take me.
Tags: Firefox, IE, SSL, TLS, trusted CA, trusted root certificates
April 17th, 2010 at 08:39
I wanted to follow you in Twitter to see what cert-walls you hit, but I cannot figure out your twitter handle. Is this posted somewhere? My twitter handle is johndthomas.
April 17th, 2010 at 13:32
I am @naskooskov on twitter. Feel free to follow.
April 19th, 2010 at 06:20
heard about your blog on the Security Now TWIT podcast… Can’t wait to hear the results from this CA reduction, Thanks
April 19th, 2010 at 13:15
I’ve followed your directions for disabling my CA’s in FireFox and only enabling the ones that I need. But I’ve ran into a problem. When trying to download and install add-ons in FF (particularly NoScript) the installation fails because the Cert cannot be verified. That’s fine, but I can’t seem to find anywhere to view what Cert is being used to verify the installation in the first place! Any help?
April 19th, 2010 at 14:25
You need to enable the following root cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SHA1 fingerprint: D23209AD23D314232174E40D7F9D62139786633A
You can grab the certificate details using Wireshark. If you don’t know how to do it, let me know and I will do a small writeup.
For sites that you visit through Firefox, you can look at the certificate details, but the addons browser doesn’t surface this detail and just fails.
April 19th, 2010 at 15:20
A wireshark write up would be great. And thanks for the reply, that fixed the problem.
April 21st, 2010 at 08:44
My Equifax Secure Certificate Authority Cert has an MD5 hash in the fingerprint, but not in the Firefox details window.
Should I delete it and get a new one?
April 21st, 2010 at 09:50
Sean,
Are you looking at it through the certificate manager in Firefox? It should have both SHA1 and MD5 hashes listed.
The MD5 hash I have for it is 67cb9dc013248a829bb2171ed11becd4.
April 21st, 2010 at 10:21
I thought we were supposed to delete all certificates which used the MD5 hash, because it was compromised. Is that the same thing has having an MD5 hash fingerprint?
April 21st, 2010 at 14:24
To answer your question, no it is not the same.
MD5 is a hash algorithm. It can be used as building block to do digital signatures. Certificates that are signed utilizing MD5 are the ones that could be considered unsafe. MD5 hash of the certificate itself is just an easy way to identify it, just like the SHA1 hash. Windows uses the SHA1 hash as the “thumbprint” and Firefox shows you both SHA1 and MD5 in the certificate screen.
April 23rd, 2010 at 10:18
This is pretty painful. Firefox on a Mac allows adding the first certificate. But several sites have a subsequent certificate which only gives an error window with no option to add it. So I have to go to the certificate list and find it and manually activate it. An example is GoDaddy, I had to manually activate a Starfield Class 2 CA.
April 23rd, 2010 at 11:57
This is the main reason I’m going through this process and want to document my findings. It is indeed painful, but security and usability are usually not possible in the same time. So my goal is to put the list of certificates I need for my own day-to-day activities and that could be a starting point for others.
What site did you have to use the Starfield Class 2 CA for?
April 25th, 2010 at 18:01
I believe it was GoDaddy.com that used the Starfield cert.
I have found 3 types of certs with Firefox on the Mac. Primary certs are easily added, for secondary certs Firefox complains but doesn’t allow them to be added. They must be added manually. Finally there are mystery certs, where Firefox doesn’t complain but the website looks like crap on the screen. I have to View Page Info, find the cert, then go manually add it.
I wish Firefox allowed us to turn off an entire CA. I never want to use the Hong Kong Post Office CA. I will quit using any website which requires it.
April 26th, 2010 at 08:16
Sean,
What are those three types of certs you describe? I don’t own a Mac, so I haven’t seen Firefox on it, but I would assume it behaves the same way as on other platforms. Usually there are root certs, intermediate certs, and end certs. They are all in a chain and the server sends the entire chain without the root, so your machine only needs to have the root certificate to verify the chain of trust.
The broken looking sites are usually sites that have two certificates issued by different CAs. In this case you trust the CA that provided the certificate for the HTTP content, but you don’t trust the CA that issued the certificate for the other content. You get a broken looking web page because of this.
You can turn off CAs. If you disable trust on the CA certificate (the root cert), it should give you a warning and not connect you. If you are observing different behavior, it might be some bug. Email me the details of the issue you have and I will take a look.