

Reducing the Roots of Some Evil - marcinw
http://codeascraft.com/2013/07/16/reducing-the-roots-of-some-evil/

======
tptacek
This is a great post, in which the lead security person at Etsy built a system
to determine which HTTPS/TLS CA's actually got used in traffic from their
office to the Internet. Less than 29% of the CAs their browser trusted
actually saw any use!

This sounds like something to be outraged about but is actually constructive
good news: if more people repeat the experiment, someone could invest some
engineering time into building a tool that would prune out CAs from browser
trust stores. Every CA removed from your browser is one less attack vector.

~~~
sp332
Sounds like a job for the SSL Observatory?
[https://www.eff.org/observatory](https://www.eff.org/observatory)

------
csears
This seems ok if you have a tech-savvy user base that understands how to re-
add a root certificate if they later hit a legitimate site using one of the
removed root certs. If you user base isn't that savvy, I'm afraid you would
just be training them to ignore SSL errors, which is not great.

Also, I assume the OS and browser vendors do some sort of verification before
adding a CA to their list of root certs. Is the message that we shouldn't
trust their verification efforts? If so, we should probably use something
other than popularity to do our own independent verification.

~~~
tbrownaw
It's not about extra verification, it's about reducing the attack surface.

If your browser trusts 100 different CAs, I can MITM you after compromising
any one of those 100. If you only actually use 10 of them, then you can remove
the other 90 from your trusted list and make my (the attackers') job 10x
harder. More-or-less regardless of which individual CAs take security a bit
more seriously than the others, since they're all held to a reasonable minimum
standard.

~~~
raylu
"since they're all held to a reasonable minimum standard."

Except the ones that are too big to fail right?

[https://bugzilla.mozilla.org/show_bug.cgi?id=647959](https://bugzilla.mozilla.org/show_bug.cgi?id=647959)

------
dfc
I have done this by hand by manually "untrusting" all CAs and then enabling
them one by one as I go along. I never found a good way to move the lists of
CAs across browsers. However for ssl-certificates in Debian propagating the
list across different machines was a breeze with etckeeper. Being able to apt-
get install cawatch would be a lot easier.

Do you really want to rely on China's CNIC to make the decision if you should
trust a certificate?

