Which Certificate Authorities Are Common?
I noticed the other day that Firefox has 171 certificate authorities (CA) installed. Why do I need all of these? In normal browsing, which do I encounter on a regular basis? How many can I safely disable?
Any CA can issue a certificate for the TLS connection. Do I really trust that all 171 CAs are secure and looking out for my security and privacy? Well, I've previously gone down this path.
I started down the path of looking for extensions which could help me answer these questions. At first, IndicateTLS was the most helpful. I could click on the icon and see which CA issued the TLS cerficate. In order to build a database, I started to record the CAs in a csv file. Ok, true, a csv file is not a database, but it's a quick way to start.
I created a git repo and started to work on an extension that recorded the CA of each url. It turns out, I still hate JavaScript and don't want to learn it. I'm happy to work with someone who knows JavaScript and wants to work on this project.
It was far easier to use what I already know, systems and julia. I then wrote a quick script to connect to each URL in dns cache, query the TLS cert, get the CA, and write that to a csv file. If you look at that repo today, roughly 83% of the repo is julia code. I then wrote another script to analyze the csv file. I only want to collect the minimum information necessary to answer the question. I added in the date of collection solely to see trends over time.
Results to date
As of today (2021-09-01), I've seen 33 CAs across 21,915 certs. So, 33 CAs out of 171 are common for my browsing. They might be different from yours. I've now disabled the other 138 CAs in my browser to no ill effects so far. In fact, of those 33 there are clearly some related CAs in TLS certs. DigiCert/DigiCert Inc and Google Trust Services/Google Trust Services LLC. Amazon, Godaddy, Apple/Apple Inc, etc. However, I left each CA as recorded.
As I expected, the free CAs dominate the list. Let's Encrypt and Cloudflare are clearly in the top three spots. DigiCert/DigiCert Inc are a close second, but not free.
Here's the current table of results:
| CA | total_sum |
|---|---|
| CPanel | 1 |
| Apple | 1 |
| Buypass AS-983163327 | 1 |
| Network Solutions L.L.C. | 1 |
| GoGetSSL | 1 |
| TERENA | 2 |
| 2 | |
| GlobalSign | 2 |
| Cybertrust | 2 |
| SwissSign AG | 4 |
| Sectigo | 5 |
| Starfield Technologies | 8 |
| GoDaddy.com | 8 |
| ZeroSSL | 9 |
| Apple Inc. | 16 |
| Gandi | 34 |
| SSL Corporation | 45 |
| Microsoft Corporation | 60 |
| Internet2 | 72 |
| cPanel | 102 |
| Starfield | 113 |
| Entrust | 161 |
| Google Trust Services | 216 |
| COMODO CA Limited | 347 |
| GoDaddy | 797 |
| Google Trust Services LLC | 1177 |
| GlobalSign nv-sa | 1368 |
| DigiCert | 1439 |
| Amazon | 1466 |
| Sectigo Limited | 1908 |
| DigiCert Inc | 2583 |
| Cloudflare | 3435 |
| Let's Encrypt | 6529 |
Future blog posts will contain status as I continue to use the web with a minimal selection of CAs enabled.