[Ach] You Won't Be Needing These Any More:, On Removing Unused Certicates From Trust, Stores

Aaron Zauner azet at azet.org
Wed Mar 19 02:10:23 CET 2014


Recommended reading:
https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf

(PDF copypasta with missing characters following):

```
6 Conclusion
In this paper we argued for the removal of CA certi
cates that do not
sign any certi
cates used in HTTPS connections from desktop and browser
trust stores. We based our analysis on an Internet-wide dataset of 48
million HTTPS certi
cates and compared them to trust stores from all
major browser and OS vendors. We were able to identify 140 CA
certi
cates included in twelve trust stores from all major platforms
that are never used for signing certi
cates used in HTTPS. Based on
these 
ndings, we suggest to remove or restrict these CA certi
cates.
Using two months' worth of TLS handshake data from our university
network, we con
rmed that removing these certi
cates from users' trust
stores would not result in a single HTTPS warning message. Thus, this
action provides a simple and low-cost real-world improvement that users
can implement right now to make their HTTPS connections more secure. We
are working on creating tools and scripts to automate this process for
different browsers and operating systems.
Our current list of CAs we recommend for removal is a conservative one.
It includes all CAs that have never signed a HTTPS certi
cate. In future
work,we would like to analyze the trade-off between false positives and
the size of the trust store, as well as look into mechanisms to restrict
the capabilities of certi
cates on the Android platform.
```

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/ce10f83b/attachment.sig>


More information about the Ach mailing list