How to know which Certificates to leave in my browser, and which to remove

google-chrome firefox security ssl certificate
6,466

Episode #481 of the Security Now! podcast touches on the related subject of Certificate Transparency. The question "which CA's can I trust?" is replaced by "which certificates is known to represent a given site?".

Once RFC 6962 is universally deployed it allows us to detect that the "Hong Kong Post office CA" (aka the Chineese Government) has issued a fraudulent certificate to www.gmail.com which your pre-2015 browser would otherwise happily accept.

The concept that hundreds of CA's are trusted to issue certificates to any site is crazy.

Share:
6,466

Related videos on Youtube

dotancohen
Author by

dotancohen

Updated on September 18, 2022

Comments

  • dotancohen
    dotancohen over 1 year

    I would like to tighten up security a bit, so I am disabling unneeded certs from my browsers. For instance, the "WoSign CA Limited" cert from China I obviously don't need, yet "Thawte Consulting cc" I do.

    Is there any way to see which certs I've actually used so that I could start making informed decisions? Take for example "Trustis Limited". On what basis would I decide to keep or leave it. Also, in addition to "Thawte Consulting cc" there is a cert for "thawte, Inc.". Might one be a spoof? How would I know?

    • Admin
      Admin over 9 years
      This is a hard problem. You can’t really know which are legit, and you don’t even know which you need and will need in the future (service providers you rely on may change the CA they use, see Certificate Patrol to get an idea on the frequency of CA switches). One of the reasons why some people in the security community consider the CA system fundamentally broken. Most people normally have to rely on mozilla (or whoever composes your certificate store, may be google in your case) to make sensible tests on the certificates they recieve applications for.
    • Admin
      Admin over 9 years
      In fact, Certificate Patrol would be exactly what you want (that, plus a few weeks of use). However, it is not available for google chrome.
    • Admin
      Admin almost 9 years
      @JonasWielicki, It's not so hard. We can selectively block by countries, then when there's a problem, we can then decide if we would wish to include it back into the list. Ban first, white-list later.
    • Admin
      Admin almost 9 years
      @Pacerier I don’t think that is easy. First, if you block the whole Five-Eyes-based CAs (which I would if I was to take this seriously), you’d immediately re-whitelist them. Nothing won there. Certificate Patrol has the neat advantage that it informs you about "suspicious" changes in the certificates (like, premature certificate changes or changes of the CA).
  • phoeagon
    phoeagon about 9 years
    Could you please explicitly quote an imaginary example as imaginary or provide citations?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is there a way to extract a "private certificate key" from Chrome and import it into Firefox?
Why do I have untrusted certificates for Google, Yahoo, Mozilla and others?
Firefox: This connection is untrusted + Behind corporate firewall
Why do some websites change SSL certificates so frequently?
How do I remove security certificate exceptions from Google Chrome?
Chrome and Firefox, ignore certificate errors
How to always allow insecure connection for a certain url in chrome?
When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
Is there such a thing as the "Tamper Data firefox plugin" for chrome?
Error while creating self-signed SSL certificate