Reducing the Roots of Some Evil (opens in new tab)

This is a great post, in which the lead security person at Etsy built a system to determine which HTTPS/TLS CA's actually got used in traffic from their office to the Internet. Less than 29% of the CAs their browser trusted actually saw any use!

This sounds like something to be outraged about but is actually constructive good news: if more people repeat the experiment, someone could invest some engineering time into building a tool that would prune out CAs from browser trust stores. Every CA removed from your browser is one less attack vector.

This seems ok if you have a tech-savvy user base that understands how to re-add a root certificate if they later hit a legitimate site using one of the removed root certs. If you user base isn't that savvy, I'm afraid you would just be training them to ignore SSL errors, which is not great.

Also, I assume the OS and browser vendors do some sort of verification before adding a CA to their list of root certs. Is the message that we shouldn't trust their verification efforts? If so, we should probably use something other than popularity to do our own independent verification.

I have done this by hand by manually "untrusting" all CAs and then enabling them one by one as I go along. I never found a good way to move the lists of CAs across browsers. However for ssl-certificates in Debian propagating the list across different machines was a breeze with etckeeper. Being able to apt-get install cawatch would be a lot easier.

Do you really want to rely on China's CNIC to make the decision if you should trust a certificate?