[Discuss] root CA bloat
Richard Pieri
richard.pieri at gmail.com
Fri Nov 21 20:30:27 EST 2014
On 11/21/2014 6:19 PM, Tom Metro wrote:
> Has anyone created an extension for Firefox that trims down the cert
> list to something like the top 50 cert providers?
Who's to say what those top 50 are? And in fact, pruning to the top 50
would only remove about a dozen of the top level certificate authorities
from Firefox's (v33.1.1) list.
A huge problem is subordinate authorities. Subordinates are chained to
the roots so that you don't need to have their certificates distributed
with the browsers. When you hit a site like the Bavarian National
Library, your browser looks at the designated CA and follows the chain
to the anchor.
https://opacplus.bsb-muenchen.de/
Which is to say that if you trust the number 1 root CA in the world then
you automatically trust any subordinate CA that the number 1 root
delegates. And you automatically trust any subordinate CA that the the
delegate delegates. And so forth. This can't be fixed because it's not
broken; it's how the X.509 trust chain was designed to operate. And if
you expunge delegated authority certificates from your browser, well,
they'll just get reloaded the next time you visit sites with delegated
certificates AND you'll blow away any benefit that pinning those certs
might have provided since you unpinned and erased them.
It gets better. Do a whois lookup on google.com. Then do one for
yahoo.com. Now bing.com, microsoft.com, amazon.com, verizon.com,
netflix.com, apple.com, comcast.com, att.com. Hell, any major commercial
service or content provider. Chances are you'll see the same names:
MarkMonitor and Corporation Service Company. These two companies are
top-level CAs that control the DNS for most of the big-name players in
the game. Which is to say that they have the tools necessary to perform
MITM against huge swaths of Internet traffic. And you have little choice
but to trust them, even when their business model is abusing that trust
in order to identify and prosecute IP infringement, because Apple and
Amazon and Netflix and Google and all the rest would stop working if you
revoke that trust.
--
Rich P.
More information about the Discuss
mailing list