Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I’ve learned a bunch. The main takeaway from this experiment is that I don’t need 3 digit number of trusted CAs in my browser. Again, this is person specific and US centric, but the total count as of today is 10! The list of subject names and signatures follows for the ones interested in the exact list.
CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
OU = VeriSign Trust Network, OU = “© 1998 VeriSign, Inc. - For authorized use only”, OU = Class 3 Public Primary Certification Authority - G2, O = “VeriSign, Inc.”, C = US
OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=US
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
CN=GTE CyberTrust Global Root, OU=“GTE CyberTrust Solutions, Inc.”, O=GTE Corporation, C=US
CN=Entrust.net Secure Server Certification Authority, OU=© 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Eemail@example.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA
OU=Go Daddy Class 2 Certification Authority, O=“The Go Daddy Group, Inc.”, C=US
CN = GlobalSign Root CA, OU = Root CA, O = GlobalSign nv-sa, C = BE
The last one I’ve included for completeness, since I don’t really need it, but I had to enable it to access openssl.org over https. It is currently not trusted.
While this is a good list of certs to enable for security geeks like myself, I’m not quite sure how feasible this is today for the average user, so I wouldn’t recommend doing this to your parents’ computer. Even for me it was hard to realize that application failures (such as twhirl completely stopping to work) are due to a root certificate no longer being trusted and SSL connections failing. I also had to look at the wire traffic on a few occasions where the UI would never expose the “I want to see which certificate is failing” option.
One needs to be very careful which certs are disabled. Since it is hard to troubleshoot failures that result from disabling trusted roots, reading up and getting familiar with how certificates work is a great idea. Firefox has its own certificate storage, completely separate from the OS, so messing with it is not as big of an issue, as any errors are isolated to Mozilla applications. Here are some resources for Windows (which affects IE and Chrome):
- There is a list of mandatory certificates that Windows needs to operate, which is listed here.
- There is a great overview of how the trusted roots certificates work on Windows and explains why people see things “change” under the hood.
- Also, in newer versions there seem to be a lot more control on how certificates are validated and what roots are trusted.
- The list of CAs that Windows trusts.
I hope this information is helpful to people. Feel free to ping me with questions you might have related to this small project.