The world awaits...

Certificate Authority Collections

With the recent news of Turkey censoring the Internet, it reminded me that the Turkish Telecom Authority is in just about every browser as a Certificate Authority. This means it can approve any SSL certificate it deems valid, including ones you may not deem valid. I installed Certificate Patrol as a test, mostly because it's the easiest way to learn what CAs you run into during normal browsing. I used to browse entirely without CAs, but after a while trying to verify the SSL certificate of the most popular sites I browse becomes impossible. It just takes too much time. There are hundreds of CAs in your browser, but how many do you really need? It turns out, very few.

## The results

At least for the sites I browse in a two week timespan (so far). Of the hundreds available, here are the few I seem to need:

- AddTrust AB
- Baltimore
- COMODO CA Limited
- Digicert Inc (High Assurance)
- Digicert Inc (Global Root)
- Entrust.net
- GeoTrust Inc.
- GlobalSign nv-sa
- thawte, inc.
- The Go Daddy Group Inc
- The USERTRUST Network
- Verisign Inc
- GANDI SAS

And here's a screenshot showing the full set I encountered in 2 weeks of normal browsing.

The 13 CAs

I've gone ahead and disabled the rest in Firefox. I wonder how this list will look in another 2 weeks. In the meanwhile, the EFF has a great SSL Observatory from mass collection of certs around the world.

originally published at wiki.lewman.is

This article was updated on 2020/03/14 15:54:18