Security Projects

You are here:  Home > SSLCop

SSLCop

 

In these days, where Certificate Authorities (CAs) security reputation has been called into question due to security incidents like Verisign, Comodo or Diginotar, is the time to ask: How many CAs do we trust via Microsoft or Mozilla? 

The answer is here (in Microsoft case) and, I am sure, there are more CAs that you were able to guess before click the link.

There are CAs from dark reputation or non democratic countries like China, Bermudas or Macao.

The problem in current PKI model is every CA identified as "trusted" (regardless being big and famous) is able to issue valid certificates for whatever Internet domain (this applies to Google, Facebook or your online bank site)

So, do you really need to trust all those CAs? In our opinion: no, you don't have to trust in such big amount of CAs. Likely, you only need to trust in a few big and well-known CAs and, depending your country, your local CAs.

For example, if you are Dutch, do you really need to trust the CAs from Portugal, Spain or Uruguay (typically used to perform local e-Goverment activities)?

I am pretty sure you don't. Have in mind, if one of these CAs was compromised, it could be used to issue fake certificates that could affect your "secure" navigation.

 

So, the first hardening principle applies here: If you don't need it, disable it