Why are there so many odd certificates listed in my browser?

In this excerpt from
Answercast #79, I look at the numerous root certificates that are included
in browsers and recommend that people don’t delete them.

]]>
<![CDATA[

Understanding certificates in my browser?

Ultimately, no. The problem is this: these are called the “root certificates.” These are the certificates that your computer trusts by default.

We make the assumption that the browser manufacturer (in your case, Firefox) or the operating system vendor (Microsoft in the case of Windows, or Apple in the case of Macintosh’s OSX) have somehow vetted and secured the default set of root certificates that are included – with whatever software it is they’re providing (like I said, the operating system, or sometimes in Firefox’s case, the browser.)

Yes, there are many and they might not make sense to you and me. In fact, I would claim that the vast majority are never used.

The results of deleting certificates

The issue is that they might be! You don’t know necessarily who the signing authority is, who it is, that is securing or authenticating an https website when you visit that website.

If, for whatever reason, you visited a site that happened to get to their secure certificate from a certificate authority that originates with that Turkey certificate, then you would not be able to connect to that site and know that it was secure. You would probably still be able to connect to it, but you would get a warning every time you did if that Turkey certificate were not installed on your machine.

Now, yes, I agree. Turkey – pretty darned unlikely.

Depending on what browser you’re looking at, there may be something like 200 different certificates that come pre-installed with the browser or with the operating system. Those are to support the browser and the operating system when working in all these different places – where people are accessing sites that are very legitimately getting their http certificates signed by all of these different signing authorities.

Don’t remove certificates

In my opinion, it’s way more effort, way more work than it’s worth, to go through and remove ones that you’re uncertain of.

For many, the risk is pretty low. You’re not going to have a problem if you remove it. For some, like I said, you’re gonna find out that, “Oh, gosh! When I visit such and such site, well, they originate in Europe… and this one certificate authority that I just deleted because I didn’t understand it? That’s the one they needed!”

Getting them back in gets to be a little bit problematic.

So my recommendation is yes, it’s an interesting curiosity. It does reflect what I consider to be a weakness in the SSL and https system, but it is not something that I recommend generally that people go in and play around with.

They are all by definition supposed to be good. They are all by definition supposed to be trustworthy.

I say “by definition” because of course depending on the situation, you may feel otherwise – but that’s the intent of the system and I wouldn’t recommend messing around with it until (or unless) we have a specific problem we’re trying to resolve that would involve that.

(Transcript lightly edited for readability.)