Certificate Authority Collections

With the recent news of Turkey censoring the Internet, it reminded me that the Turkish Telecom Authority is in just about every browser as a Certificate Authority. This means it can approve any SSL certificate it deems valid, including ones you may not deem valid. I installed Certificate Patrol as a test, mostly because it’s the easiest way to learn what CAs you run into during normal browsing. I used to browse entirely without CAs, but after a while trying to verify the SSL certificate of the most popular sites I browse becomes impossible. It just takes too much time. There are hundreds of CAs in your browser, but how many do you really need? It turns out, very few.

## The results

At least for the sites I browse in a two week timespan (so far). Of the hundreds available, here are the few I seem to need:

– AddTrust AB
– Baltimore
– COMODO CA Limited
– Digicert Inc (High Assurance)
– Digicert Inc (Global Root)
– Entrust.net
– GeoTrust Inc.
– GlobalSign nv-sa
– thawte, inc.
– The Go Daddy Group Inc
– The USERTRUST Network
– Verisign Inc
– GANDI SAS

And here’s a screenshot showing the full set I encountered in 2 weeks of normal browsing.

The 13 CAs

I’ve gone ahead and disabled the rest in Firefox. I wonder how this list will look in another 2 weeks. In the meanwhile, the EFF has a great SSL Observatory from mass collection of certs around the world.

originally published at wiki.lewman.is

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s