Results after 30 days of (almost) no trusted CAs

5 Comments

Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I’ve learned a bunch. The main takeaway from this experiment is that I don’t need 3 digit number of trusted CAs in my browser. Again, this is person specific and US centric, but the total count as of today is 10! The list of subject names and signatures follows for the ones interested in the exact list.

CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
7e784a101c8265cc2de1f16d47b440cad90a1945

OU = VeriSign Trust Network, OU = “(c) 1998 VeriSign, Inc. – For authorized use only”, OU = Class 3 Public Primary Certification Authority – G2, O = “VeriSign, Inc.”, C = US
85371ca6e550143dce2803471bde3a09e8f8770f

OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=US
742c3192e607e424eb4549542be1bbc53e6174e2

OU=Equifax Secure Certificate Authority, O=Equifax, C=US
d23209ad23d314232174e40d7f9d62139786633a

CN=GTE CyberTrust Global Root, OU=”GTE CyberTrust Solutions, Inc.”, O=GTE Corporation, C=US
97817950d81c9670cc34d809cf794431367ef474

CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
99a69be61afe886b4d2b82007cb854fc317e1539

CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
02faf3e291435468607857694df5e45b68851868

E=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA
627f8d7827656399d27d7f9044c9feb3f33efa9a

OU=Go Daddy Class 2 Certification Authority, O=”The Go Daddy Group, Inc.”, C=US
2796bae63f1801e277261ba0d77770028f20eee4

CN = GlobalSign Root CA, OU = Root CA, O = GlobalSign nv-sa, C = BE
b1bc968bd4f49d622aa89a81f2150152a41d829c

The last one I’ve included for completeness, since I don’t really need it, but I had to enable it to access openssl.org over https. It is currently not trusted.

While this is a good list of certs to enable for security geeks like myself, I’m not quite sure how feasible this is today for the average user, so I wouldn’t recommend doing this to your parents’ computer. Even for me it was hard to realize that application failures (such as twhirl completely stopping to work) are due to a root certificate no longer being trusted and SSL connections failing. I also had to look at the wire traffic on a few occasions where the UI would never expose the “I want to see which certificate is failing” option.

One needs to be very careful which certs are disabled. Since it is hard to troubleshoot failures that result from disabling trusted roots, reading up and getting familiar with how certificates work is a great idea. Firefox has its own certificate storage, completely separate from the OS, so messing with it is not as big of an issue, as any errors are isolated to Mozilla applications. Here are some resources for Windows (which affects IE and Chrome):

  • There is a list of mandatory certificates that Windows needs to operate, which is listed here.
  • There is a great overview of how the trusted roots certificates work on Windows and explains why people see things “change” under the hood.
  • Also, in newer versions there seem to be a lot more control on how certificates are validated and what roots are trusted.
  • The list of CAs that Windows trusts.

I hope this information is helpful to people. Feel free to ping me with questions you might have related to this small project.

Tags: , , , , , , , ,

5 Responses to “Results after 30 days of (almost) no trusted CAs”

  1. Wally Says:

    Thank you for publishing the results of your experiment. This is great work!
    I’m behind on my podcasts, and just now heard of your work on the Security Now podcast (episode 244).

  2. Chris Says:

    This is an interesting experiment, and a fun read. Thanks for putting it together. I’d like to throw light on it from an additional angle:

    For those that are not familiar with the various grades of commercial certificates, there is a wide range of background checks that are performed before various types of certificates are issued. Some CAs offer Domain Vetted (or DV) certificates which only require that the certificate applicant respond to an email before the certificate is approved/issued. DV certificates usually provide no authentication on the individual or organization that the certificate is issued to. DV certificates only confirm “Domain Control”. On the other hand, Extended Validation certificates require a thorough investigative process be performed before the EV cert is issued. In addition to domain control, EV certificates verify that the certificate is actually issued to a legally established company or organization, and that the individual who applied for the certificate on behalf of the organization had authorization to do so. Therefore, EV certificates offer much, much stronger authentication. As a result, EV certificates help to protect users from phishing and other types of scam websites.

    Extended Validation certificates are recognized by browsers in many different ways. For example, Internet Explorer turns the address bar green, Firefox turns the leftmost part of the address bar green and shows the verified company name. Chrome, Opera, and Safari all display the name of the verified company in the right side of the address bar.

    Because of increased standards, EV certificates are generally issued under newer, stronger, 2048-bit roots. However, these certificates are generally cross-signed up to older “legacy” root certificates including many that are listed here. This cross-signature is generally intended to make the newer EV certificates trusted on old browsers. However, on browsers without the newer EV roots installed (or the EV roots have been removed), the EV indication is not functional, and the site appears to be secured with a non-EV certificate.

    Therefore, another negative side-effect of removing the newer EV roots is that the EV indicators will become disabled. The sites will still be trusted by the browser through the older roots, but the EV indicator will not work.

  3. Nasko Says:

    Thanks for the info Chris. Are there any EV roots that are not in the list I have and they have the non-EV root in the list? It might be good to compile a list of the EV enabled root certs.

  4. How to mitigate the risk of the DigiNotar *.google.com SSL certificate Says:

    [...] a couple posts that Nasko has done relating to managing your own certificate store like this one (http://netsekure.org/2010/05/results-after-30-days-of-almost-no-trusted-cas/) and this one [...]

  5. 0xdabbad00.com :: How many root CA’s should we really trust?? – Scientia est potentia Says:

    [...] a post on the TOR project about a guy that removes all certs and adds them as needed, and another post shows the 10 CA’s that were ultimately accepted by someone after 30 days of using a browser with [...]

Leave a Reply

You must be logged in to post a comment.