Do I really need all these Certificate Authorities in my browser or in my keychain?

  • There are lots of strange looking Certificate Authorities in my keychain as well as Firefox. I am sure they are legitimate CAs (as they are the same on my Mac and PC and other computers I checked). And by strange I mean they seems to be specific to same other countries or organizations that I am sure I have nothing to do with, is there a way to safely remove these unnecessary CAs? Is there a list for regular US users or a way to disable them and enable them when they ar needed?

    Keep in mind a US site can use a cert from a non-US issuer. They aren't geographically restricted.

  • The Web is worldwide. That you are a "US user" does not mean that you will only look at US websites.

    You can remove any CA certificate that you do not wish to trust. That's your prerogative. The only consequence of removing a CA certificate is that the machine will cease to automatically accept as valid any certificate issued by the said CA. Translation: some HTTPS Web site may begin to trigger scary warnings, which you can always bypass, but which are scary nonetheless (and training yourself to bypass scary warnings might not be a good idea anyway).

    The truth is that, as a user, you have very little information on which you could base your decision of trusting or not trusting any particular CA. Ideally, you would trust only those CA for which you can establish a clear responsibility path down to you: the CA which will give you a lot of money in case you get swindled due to a mistake made by the CA. However, there is no such CA. Instead, what you have is a list of "default CA" who made a deal with the OS vendor (Apple, in the case of Mac OS) so that the OS vendor accepts to include them as "default CA". These CA, and Apple, are way too smart, legally speaking, to give you money in case of any problem (as a Mac user, your money relationship with Apple rather flows in the other direction). Yet, if one of the "default CA" begins to behave improperly, that's Apple public image which is at stake.

    So my advice would be to let things as they are. This is what almost everybody does. Remember that, in any case, the point of the CA is to validate the certificate, which does not mean that the corresponding site is maintained by honest and trustworthy people; the only thing that the CA guarantees is that the Web page you are looking at really came from the Web site whose name is in the URL bar.

    In addition to that: let go of the notion that PKI makes things secure automatically, and the CAs are not a problem anymore :-)

    Someone did an experiment and deleted all but chosen 10 CAs from his browser. He used that setting for a few months and was still able to surf the web like he used to - almost all the sites he visited still worked. I don't remember the details of the experiment though, but it clearly showed that casual web user does not need that many CAs.

    "the only thing that the CA guarantees is that the Web page you are looking at really came from the Web site whose name is in the URL bar" This is inaccurate since any trusted CA can produce a fraudulent certificate for any domain that will be accepted by the browser. Evil CA can trick your browser into thinking that you're securely connected to's server when you could be connected to another (DNS poisoning) and be looking at a fraudulent certificate.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM