Comment by mike_hearn
11 years ago
You can revoke your trust in any CA at any time, you don't even need to see any errors! Just click the little padlock each time you visit a secure website and see if the CA is in your good books. If it's not, pretend the padlock isn't there!
OK, that's a little awkward. A browser extension could automate this. But in practice, nobody wants to do this, because hardly anyone has opinions on particular CAs. It's a sort of meta-opinion - some people feel strongly they should be able to feel strongly about CAs, but hardly anyone actually does. So nobody uses such browser extensions.
Can't you just delete the CA from the browser?
On Firefox it's preferences -> advanced -> certificates -> view certificates.
Yes you can. Obviously, you can choose not to make secure connections with sites certified by a CA you don't trust. But then you just can't use your bank's website anymore, or your search engine, or whatever.
Users have a clear stake in whatever informational exchange occurs between them and the websites we access. We should have the authority to participate in determining the terms on which that exchange is secured.
I'm curious as to whether Firefox's sync functionality propagates CA overrides across machines. If not then this is something you'd have to repeat over for every machine you use, making it effectively too tedious to be practical.
It doesn't yet, unfortunately. There's a related feature request for syncing user added certificates:
https://bugzilla.mozilla.org/show_bug.cgi?id=583935
But syncing which certificates to delete is probably a much harder sell.
At least there's a way to do programmatically:
>A browser extension could automate this.
Unfortunately, it couldn't on Chrome, because you can't even access a page's certificate from an extension in Chrome:
http://stackoverflow.com/questions/18689724/get-fingerprint-...
And Firefox's certificate API is not much better, only passive access without ability to block connections if you detect an unwanted cert.
> And Firefox's certificate API is not much better, only passive access without ability to block connections if you detect an unwanted cert.
Nope. Firefox's Addon API lets you do pretty much whatever you want. It might be kind of hard and annoying, but you can certainly block connections that are signed by an untrusted CA. How do you think Convergence [0] worked?
[0] http://convergence.io/
Fair enough, that's what I get for believing a Stackoverflow answer (even a highly upvoted one) without verifying for myself:
https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensio...
So with Firefox, you could build the kind of add-on described by Mike.
But I have confirmed for myself Chrome extension API's lack of ability to even read the certificate of a current page[1]. Chrome may be able to read block page loads (don't know, haven't checked) but without being able to even view a cert, it doesn't do much good.
1. https://code.google.com/p/chromium/issues/detail?id=93636
How does converge work? Is it any good?
Can't you just remove the cert from your OS/browser's trust store? I can do this on Ubuntu + Firefox.
Incidentally, I can also add my own CA.