Who do I trust?

I recently read an excellent article by Ben Laurie that proposes methods that evil companies like Phorm could use to intercept SSL communications. This got me thinking about whom I actually trust when I’m using the Web.

Most people install an Operating System and simply trust whatever Certificate Authorities it happens to come with. A quick check on my Debian box reveals a list of 284 certificates that I have in effect placed complete faith in. That’s a lot of blind faith, especially when many of those certificates are owned by companies like AOL Time Warner whom I have no faith in at all. I’m intrigued to understand what the secure approach to this problem actually is. Should I delete all those CA certificates from my browsers and check them out individually as and when I visit an SSL site? Not an easy proposition as it’s hard to make an educated assessment. It would be interesting to know how many CA’s I would end up with if I took this approach. I bet it’s a lot less than 284.

Leave a comment