[Ach] You Won't Be Needing These Any More:, On Removing Unused Certicates From Trust, Stores

ianG iang at iang.org
Wed Mar 19 02:50:52 CET 2014

On 19/03/2014 01:10 am, Aaron Zauner wrote:
> Recommended reading: 
> https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf
> (PDF copypasta with missing characters following):
> ``` 6 Conclusion In this paper we argued for the removal of CA
> certi
cates that do not sign any certi
cates used in HTTPS
> connections from desktop and browser trust stores. We based our
> analysis on an Internet-wide dataset of 48 million HTTPS
> certi
cates and compared them to trust stores from all major
> browser and OS vendors. We were able to identify 140 CA certi
> included in twelve trust stores from all major platforms that are
> never used for signing certi
cates used in HTTPS. Based on these
ndings, we suggest to remove or restrict these CA certi
> Using two months' worth of TLS handshake data from our university 
> network, we con
rmed that removing these certi
cates from users'
> trust stores would not result in a single HTTPS warning message.
> Thus, this action provides a simple and low-cost real-world
> improvement that users can implement right now to make their HTTPS
> connections more secure. We are working on creating tools and
> scripts to automate this process for different browsers and
> operating systems. Our current list of CAs we recommend for removal
> is a conservative one. It includes all CAs that have never signed a
> HTTPS certi

Nice!  Now, if they could package up a plugin or a new root list such
that we could write in 2 lines what busy sysadms had to do, I'd say it
would make a great recommendation.

What I'm trying to get away from is the notion that we should put a
simply list in the doc and say "oh, and strip these out!  You know
how, vi is your friend..."

> In future work,we would like to analyze the trade-off between false
> positives and the size of the trust store, as well as look into
> mechanisms to restrict the capabilities of certi
cates on the
> Android platform. ```

Yes, yes yes YES!  Go guys!


More information about the Ach mailing list