 |
| Firefox's default list of trusted certificate authorities |
I'll point you
here for the full story, and add my two cents below.
Sadly I don't have time to get into the rabbit hole of explaining certificates and SSL, so this will have to be directed at those already in the know.
Here's the overview. A root certificate authority, TURKTRUST (yes, they're Turkish), somehow issued two certificates in 2011 that allowed their owners to impersonate any *.google.com site. And I'm here to let you know you can go right ahead and delete TURKTRUST from your browser without worrying you'll ever need it.
This useful bit of information is courtesy of "Nasko" at netsekure.org, who did a survey in 2010 of
the most commonly used certificate authorities on the web. This was in order to reduce his attack surface, since we've seen a steady stream of CA (certificate authority) compromises over the years, and if you don't trust a CA in the first place, you can't be fooled by their fraudulent certificates.
His surprising results were that you only need about 25 CA's out of the hundreds that browsers trust by default. His survey queried the top 1 million most popular sites according to Alexa, so you can be pretty sure he didn't miss much of the web.
What's more, I actually implemented his findings, deleting all but the those 25 from my own browser. And after several months of (heavy) browsing, I can tell you I've never once run into a problem.
After the jump, my revelations on the bigger picture I learned through this experiment.
.png)
