[Mafana0]

>In a similar vein, I've deleted all the trusted root CA certs from my computer, and am now marking individual certs trusted as I hit them. Not fail-safe, but safer, I think.

Excuse my ignorance, could you tell why it's useful to remove the certs from a PC. I've heard about root certs a couple of times already but don't understand what they really are.

[asharp]

Basically if you see a certificate on the interwebs, it goes through and says:

"This particular website is X". And it can back this up with all sorts of fancy math.

The problem then, is how do you know that the particular certificate is correct? I can go through and make a certificate saying that i'm santa clause. How you get around that is by using another certificate that you already have, and using that to certify the websites certificate. Ie. if you trust godaddy (or the hong kong post office), and I have a certificate saying that i'm me, signed by godaddy, then you can trust that i'm me.

The collection of certificates that you trust are then called the "root ca", and having random certificates there is a problem because if one of them was to produce a forged certificate, you'd never know about it. ie. by adding in untrusted certificates to your root ca, you lose trust in the whole certificate chain of trust process.

[Mafana0]

Thanks for the explanation. After taking a look at the certificates that come with Windows, I can see that there are dozens of trusted root certificates, issued by some organizations that I've never heard of. Can I really trust those "root ca"? especially that I noticed some differences between the two PCs that I've checked!

[tonfa]

Usually the OS or browser vendor chose them, so it is normal that they differ between computers. But the CA trust chain really sucks, as one compromized CA compromizes everything (the security of the system relies on the security of the weakest root CA).