Fwd: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores

[coderman]

Fwd^2:

---------- Forwarded message ----------
From: Aaron Zauner ...
Date: Tue, Mar 18, 2014 at 6:10 PM
Subject: [Ach] You Won't Be Needing These Any More:, On Removing
Unused Certi cates From Trust, Stores


Recommended reading:
https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf

(PDF copypasta with missing characters following):

```
6 Conclusion
In this paper we argued for the removal of CA certi cates that do not
sign any certi cates used in HTTPS connections from desktop and browser
trust stores. We based our analysis on an Internet-wide dataset of 48
million HTTPS certi cates and compared them to trust stores from all
major browser and OS vendors. We were able to identify 140 CA
certi cates included in twelve trust stores from all major platforms
that are never used for signing certi cates used in HTTPS. Based on
these ndings, we suggest to remove or restrict these CA certi cates.
Using two months' worth of TLS handshake data from our university
network, we con rmed that removing these certi cates from users' trust
stores would not result in a single HTTPS warning message. Thus, this
action provides a simple and low-cost real-world improvement that users
can implement right now to make their HTTPS connections more secure. We
are working on creating tools and scripts to automate this process for
different browsers and operating systems.
Our current list of CAs we recommend for removal is a conservative one.
It includes all CAs that have never signed a HTTPS certi cate. In future
work,we would like to analyze the trade-off between false positives and
the size of the trust store, as well as look into mechanisms to restrict
the capabilities of certi cates on the Android platform.
```

Aaron


_______________________________________________
Ach mailing list
Ach at lists.cert.at
http://lists.cert.at/cgi-bin/mailman/listinfo/ach