Which Certificate Authorities Are Common?

I noticed the other day that Firefox has 171 certificate authorities (CA) installed. Why do I need all of these?  In normal browsing, which do I encounter on a regular basis? How many can I safely disable?

Any CA can issue a certificate for the TLS connection. Do I really trust that all 171 CAs are secure and looking out for my security and privacy? Well, I've previously gone down this path.

I started down the path of looking for extensions which could help me answer these questions. At first, IndicateTLS was the most helpful. I could click on the icon and see which CA issued the TLS cerficate. In order to build a database, I started to record the CAs in a csv file. Ok, true, a csv file is not a database, but it's a quick way to start.

I created a git repo and started to work on an extension that recorded the CA of each url. It turns out, I still hate JavaScript and don't want to learn it. I'm happy to work with someone who knows JavaScript and wants to work on this project.

It was far easier to use what I already know, systems and julia. I then wrote a quick script to connect to each URL in dns cache, query the TLS cert, get the CA, and write that to a csv file. If you look at that repo today, roughly 83% of the repo is julia code. I then wrote another script to analyze the csv file. I only want  to collect the minimum information necessary to answer the question. I added in the date of collection solely to see trends over time.

Results to date

As of today (2021-09-01), I've seen 33 CAs across 21,915 certs.  So, 33 CAs out of 171 are common for my browsing. They might be different from yours. I've now disabled the other 138 CAs in my browser to no ill effects so far. In fact, of those 33 there are clearly some related CAs in TLS certs. DigiCert/DigiCert Inc and Google Trust Services/Google Trust Services LLC. Amazon, Godaddy, Apple/Apple Inc, etc. However, I left each CA as recorded.

As I expected, the free CAs dominate the list. Let's Encrypt and Cloudflare are clearly in the top three spots. DigiCert/DigiCert Inc are a close second, but not free.

Here's the current table of results:

Buypass AS-9831633271
Network Solutions L.L.C.1
SwissSign AG4
Starfield Technologies8
Apple Inc.16
SSL Corporation45
Microsoft Corporation60
Google Trust Services216
COMODO CA Limited347
Google Trust Services LLC1177
GlobalSign nv-sa1368
Sectigo Limited1908
DigiCert Inc2583
Let's Encrypt6529

Future blog posts will contain status as I continue to use the web with a minimal selection of CAs enabled.