Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A month with only 10 trusted root CA certificates

krypticmind (1369357) writes | more than 4 years ago

Security 1

krypticmind (1369357) writes "Researcher Nasko Oskov from netsekure.org has spent 30 days trusting only 10 CA root certificates in his browser and details the findings in his blog. "It was an interesting one month and I’ve learned a bunch. The main takeaway from this experiment is that I don’t need 3 digit number of trusted CAs in my browser." This comes after previous concerns on breaking the chain of trust for certificates here (http://yro.slashdot.org/story/10/03/26/1334254/Government-Could-Forge-SSL-Certificates)."
Link to Original Source

cancel ×

1 comment

Windows trusts more CA's than they show in the UI (1)

schwaang (667808) | more than 4 years ago | (#32164642)

As Christopher Soghoian and Sid Stamm point out in their recent paper [cloudprivacy.net] regarding man-in-the-middle attacks on SSL, apps like IE that rely on Windows' Trusted Store will reach out to a Microsoft server to decide whether a CA is trusted. So the short list of CAs you might see in IE's UI isn't anywhere near the whole story:

Thus, any web browser that depends upon Microsoft's Trusted Root Store (such as Internet Explorer, Chrome and Safari for Windows) ultimately trusts 264 different CAs to issue certicates without warning, although only a handful of them are listed in the operating system's user interface.

TFA refers to this through links to MS docs, but it's worth stating up front since most Windows users wouldn't realize it.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...