netsekure rng

random noise generator

Results after 30 days of (almost) no trusted CAs

Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I’ve learned a bunch. The main takeaway from this experiment is that I don’t need 3 digit number of trusted CAs in my browser. Again, this is person specific and US centric, but the total count as of today is 10! The list of subject names and signatures follows for the ones interested in the exact list.

CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
7e784a101c8265cc2de1f16d47b440cad90a1945

OU = VeriSign Trust Network, OU = “© 1998 VeriSign, Inc. - For authorized use only”, OU = Class 3 Public Primary Certification Authority - G2, O = “VeriSign, Inc.”, C = US
85371ca6e550143dce2803471bde3a09e8f8770f

OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=US
742c3192e607e424eb4549542be1bbc53e6174e2

OU=Equifax Secure Certificate Authority, O=Equifax, C=US
d23209ad23d314232174e40d7f9d62139786633a

CN=GTE CyberTrust Global Root, OU=“GTE CyberTrust Solutions, Inc.”, O=GTE Corporation, C=US
97817950d81c9670cc34d809cf794431367ef474

CN=Entrust.net Secure Server Certification Authority, OU=© 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
99a69be61afe886b4d2b82007cb854fc317e1539

CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
02faf3e291435468607857694df5e45b68851868

E=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA
627f8d7827656399d27d7f9044c9feb3f33efa9a

OU=Go Daddy Class 2 Certification Authority, O=“The Go Daddy Group, Inc.”, C=US
2796bae63f1801e277261ba0d77770028f20eee4

CN = GlobalSign Root CA, OU = Root CA, O = GlobalSign nv-sa, C = BE
b1bc968bd4f49d622aa89a81f2150152a41d829c

The last one I’ve included for completeness, since I don’t really need it, but I had to enable it to access openssl.org over https. It is currently not trusted.

While this is a good list of certs to enable for security geeks like myself, I’m not quite sure how feasible this is today for the average user, so I wouldn’t recommend doing this to your parents’ computer. Even for me it was hard to realize that application failures (such as twhirl completely stopping to work) are due to a root certificate no longer being trusted and SSL connections failing. I also had to look at the wire traffic on a few occasions where the UI would never expose the “I want to see which certificate is failing” option.

One needs to be very careful which certs are disabled. Since it is hard to troubleshoot failures that result from disabling trusted roots, reading up and getting familiar with how certificates work is a great idea. Firefox has its own certificate storage, completely separate from the OS, so messing with it is not as big of an issue, as any errors are isolated to Mozilla applications. Here are some resources for Windows (which affects IE and Chrome):

  • There is a list of mandatory certificates that Windows needs to operate, which is listed here.
  • There is a great overview of how the trusted roots certificates work on Windows and explains why people see things “change” under the hood.
  • Also, in newer versions there seem to be a lot more control on how certificates are validated and what roots are trusted.
  • The list of CAs that Windows trusts.

I hope this information is helpful to people. Feel free to ping me with questions you might have related to this small project.

Comments