Fwd^2: ---------- Forwarded message ---------- From: Aaron Zauner ... Date: Tue, Mar 18, 2014 at 6:10 PM Subject: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores Recommended reading: https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf (PDF copypasta with missing characters following): ``` 6 Conclusion In this paper we argued for the removal of CA certi cates that do not sign any certi cates used in HTTPS connections from desktop and browser trust stores. We based our analysis on an Internet-wide dataset of 48 million HTTPS certi cates and compared them to trust stores from all major browser and OS vendors. We were able to identify 140 CA certi cates included in twelve trust stores from all major platforms that are never used for signing certi cates used in HTTPS. Based on these ndings, we suggest to remove or restrict these CA certi cates. Using two months' worth of TLS handshake data from our university network, we con rmed that removing these certi cates from users' trust stores would not result in a single HTTPS warning message. Thus, this action provides a simple and low-cost real-world improvement that users can implement right now to make their HTTPS connections more secure. We are working on creating tools and scripts to automate this process for different browsers and operating systems. Our current list of CAs we recommend for removal is a conservative one. It includes all CAs that have never signed a HTTPS certi cate. In future work,we would like to analyze the trade-off between false positives and the size of the trust store, as well as look into mechanisms to restrict the capabilities of certi cates on the Android platform. ``` Aaron _______________________________________________ Ach mailing list Ach@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach