Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] root CA bloat



On 11/21/2014 6:19 PM, Tom Metro wrote:
> Has anyone created an extension for Firefox that trims down the cert
> list to something like the top 50 cert providers?

Who's to say what those top 50 are? And in fact, pruning to the top 50 
would only remove about a dozen of the top level certificate authorities 
from Firefox's (v33.1.1) list.

A huge problem is subordinate authorities. Subordinates are chained to 
the roots so that you don't need to have their certificates distributed 
with the browsers. When you hit a site like the Bavarian National 
Library, your browser looks at the designated CA and follows the chain 
to the anchor.

https://opacplus.bsb-muenchen.de/

Which is to say that if you trust the number 1 root CA in the world then 
you automatically trust any subordinate CA that the number 1 root 
delegates. And you automatically trust any subordinate CA that the the 
delegate delegates. And so forth. This can't be fixed because it's not 
broken; it's how the X.509 trust chain was designed to operate. And if 
you expunge delegated authority certificates from your browser, well, 
they'll just get reloaded the next time you visit sites with delegated 
certificates AND you'll blow away any benefit that pinning those certs 
might have provided since you unpinned and erased them.

It gets better. Do a whois lookup on google.com. Then do one for 
yahoo.com. Now bing.com, microsoft.com, amazon.com, verizon.com, 
netflix.com, apple.com, comcast.com, att.com. Hell, any major commercial 
service or content provider. Chances are you'll see the same names: 
MarkMonitor and Corporation Service Company. These two companies are 
top-level CAs that control the DNS for most of the big-name players in 
the game. Which is to say that they have the tools necessary to perform 
MITM against huge swaths of Internet traffic. And you have little choice 
but to trust them, even when their business model is abusing that trust 
in order to identify and prosecute IP infringement, because Apple and 
Amazon and Netflix and Google and all the rest would stop working if you 
revoke that trust.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org