BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] root CA bloat
- Subject: [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Fri, 21 Nov 2014 20:30:27 -0500
- In-reply-to: <546FC87F.1090203@gmail.com>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546D7B55.70903@gmail.com> <BN3PR0401MB1204E9F1CF304F6724855281DC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546FC87F.1090203@gmail.com>
On 11/21/2014 6:19 PM, Tom Metro wrote: > Has anyone created an extension for Firefox that trims down the cert > list to something like the top 50 cert providers? Who's to say what those top 50 are? And in fact, pruning to the top 50 would only remove about a dozen of the top level certificate authorities from Firefox's (v33.1.1) list. A huge problem is subordinate authorities. Subordinates are chained to the roots so that you don't need to have their certificates distributed with the browsers. When you hit a site like the Bavarian National Library, your browser looks at the designated CA and follows the chain to the anchor. https://opacplus.bsb-muenchen.de/ Which is to say that if you trust the number 1 root CA in the world then you automatically trust any subordinate CA that the number 1 root delegates. And you automatically trust any subordinate CA that the the delegate delegates. And so forth. This can't be fixed because it's not broken; it's how the X.509 trust chain was designed to operate. And if you expunge delegated authority certificates from your browser, well, they'll just get reloaded the next time you visit sites with delegated certificates AND you'll blow away any benefit that pinning those certs might have provided since you unpinned and erased them. It gets better. Do a whois lookup on google.com. Then do one for yahoo.com. Now bing.com, microsoft.com, amazon.com, verizon.com, netflix.com, apple.com, comcast.com, att.com. Hell, any major commercial service or content provider. Chances are you'll see the same names: MarkMonitor and Corporation Service Company. These two companies are top-level CAs that control the DNS for most of the big-name players in the game. Which is to say that they have the tools necessary to perform MITM against huge swaths of Internet traffic. And you have little choice but to trust them, even when their business model is abusing that trust in order to identify and prosecute IP infringement, because Apple and Amazon and Netflix and Google and all the rest would stop working if you revoke that trust. -- Rich P.
- Follow-Ups:
- [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] root CA bloat
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] root CA bloat
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] root CA bloat
- Next by Date: [Discuss] root CA bloat
- Previous by thread: [Discuss] root CA bloat
- Next by thread: [Discuss] root CA bloat
- Index(es):