Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why are there so many odd certificates listed in my browser?

Question:

Looking around at my Firefox tools, I decided to look at the certificates
listed there out of curiosity. Many don’t make sense including a number that
appeared to be from Turkey. Is there a way to know which ones should be allowed
and which ones should be deleted? I use Vista, 32 bit.

In this excerpt from
Answercast #79
, I look at the numerous root certificates that are included
in browsers and recommend that people don’t delete them.

]]>

Understanding certificates in my browser?

Ultimately, no. The problem is this: these are called the “root certificates.” These are the certificates that your computer trusts by default.

We make the assumption that the browser manufacturer (in your case, Firefox) or the operating system vendor (Microsoft in the case of Windows, or Apple in the case of Macintosh’s OSX) have somehow vetted and secured the default set of root certificates that are included – with whatever software it is they’re providing (like I said, the operating system, or sometimes in Firefox’s case, the browser.)

Yes, there are many and they might not make sense to you and me. In fact, I would claim that the vast majority are never used.

The results of deleting certificates

The issue is that they might be! You don’t know necessarily who the signing authority is, who it is, that is securing or authenticating an https website when you visit that website.

If, for whatever reason, you visited a site that happened to get to their secure certificate from a certificate authority that originates with that Turkey certificate, then you would not be able to connect to that site and know that it was secure. You would probably still be able to connect to it, but you would get a warning every time you did if that Turkey certificate were not installed on your machine.

Now, yes, I agree. Turkey – pretty darned unlikely.

Depending on what browser you’re looking at, there may be something like 200 different certificates that come pre-installed with the browser or with the operating system. Those are to support the browser and the operating system when working in all these different places – where people are accessing sites that are very legitimately getting their http certificates signed by all of these different signing authorities.

Don’t remove certificates

In my opinion, it’s way more effort, way more work than it’s worth, to go through and remove ones that you’re uncertain of.

For many, the risk is pretty low. You’re not going to have a problem if you remove it. For some, like I said, you’re gonna find out that, “Oh, gosh! When I visit such and such site, well, they originate in Europe… and this one certificate authority that I just deleted because I didn’t understand it? That’s the one they needed!”

Getting them back in gets to be a little bit problematic.

So my recommendation is yes, it’s an interesting curiosity. It does reflect what I consider to be a weakness in the SSL and https system, but it is not something that I recommend generally that people go in and play around with.

They are all by definition supposed to be good. They are all by definition supposed to be trustworthy.

I say “by definition” because of course depending on the situation, you may feel otherwise – but that’s the intent of the system and I wouldn’t recommend messing around with it until (or unless) we have a specific problem we’re trying to resolve that would involve that.

(Transcript lightly edited for readability.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.