[Ach] You Won't Be Needing These Any More:, On Removing Unused Certicates From Trust, Stores

szebi szebi at gmx.at
Thu Mar 20 20:55:00 CET 2014


Please keep in mind, that not all of these CAs are used for TLS
certificates. Some of these CAs issue certs for mail-signing,
hardware-based identification, etc.!

On 03/19/2014 02:10 AM, Aaron Zauner wrote:
> Recommended reading:
> https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf
> (PDF copypasta with missing characters following):
> ```
> 6 Conclusion
> In this paper we argued for the removal of CA certi
cates that do not
> sign any certi
cates used in HTTPS connections from desktop and browser
> trust stores. We based our analysis on an Internet-wide dataset of 48
> million HTTPS certi
cates and compared them to trust stores from all
> major browser and OS vendors. We were able to identify 140 CA
> certi
cates included in twelve trust stores from all major platforms
> that are never used for signing certi
cates used in HTTPS. Based on
> these 
ndings, we suggest to remove or restrict these CA certi
> Using two months' worth of TLS handshake data from our university
> network, we con
rmed that removing these certi
cates from users' trust
> stores would not result in a single HTTPS warning message. Thus, this
> action provides a simple and low-cost real-world improvement that users
> can implement right now to make their HTTPS connections more secure. We
> are working on creating tools and scripts to automate this process for
> different browsers and operating systems.
> Our current list of CAs we recommend for removal is a conservative one.
> It includes all CAs that have never signed a HTTPS certi
cate. In future
> work,we would like to analyze the trade-off between false positives and
> the size of the trust store, as well as look into mechanisms to restrict
> the capabilities of certi
cates on the Android platform.
> ```
> Aaron
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140320/63a09a06/attachment.sig>

More information about the Ach mailing list