This is a text-only version of the following page on https://raymii.org:
---
Title       :   Which Root Certificates should you trust? Find out with CertInfo
Author      :   Remy van Elst
Date        :   01-01-2024 09:00
Last update :   15-01-2024 22:03
URL         :   https://raymii.org/s/software/Which_Root_Certificates_Should_You_Trust_CertInfo.html
Format      :   Markdown/HTML
---



Which Root Certificates should you trust? Did you know that any certificate authority can issue a certificate for any website? There are protocols in place so that should not happen, but when (not if, when) they get hacked or coerced by their government, they can issue a certificate to intercept secure communication for any website.
I've made an open source program, [CertInfo](https://github.com/raymiiOrg/certinfo) that analyzes your browser history and queries all visited domains for their certificates. It presents a list of used root certificates (meaning, a website you visited was ultimately signed by that root CA) and a list of unused root certificates (meaning, no website in your analyzed history was signed by that root CA).




This allows you to remove all Root Certificates that you will probably never
encounter. Meaning you will receive a scary browser warning if such a CA issues
a certificate for a website you visit. Cleaning up your root store could reduce
the risk of a successful MITM attack.

### Download CertInfo

I've provided an [installer download]
(https://github.com/RaymiiOrg/CertInfo/releases/download/2024.02/CertInfoSetup.exe)
here via [Github Releases]
(https://github.com/RaymiiOrg/CertInfo/releases), compiled as a
32-bit Qt C++ application, so it **will run on Windows 7 and up (to 11)**. If
you use Linux, go and install Qt Creator and compile the program yourself.
Deploying my [other app](https://leafnode.nl) cross-platform is such a chore,
I'd rather not do it for 2 apps.


**Update 15-01-2024**: I've released a new version which supports loading the
history from Microsoft's Edge browser.

**Update 04-01-2024**: I've released a new version which notifies you that you
need to close the browser before opening a history file and a few more bugfixes.

Per Root Certificate you can see which domains in your history were signed by
this CA:


In my case quite a bit of unused root certificates, even the Dutch Government
CA (`Staat der Nederlanden Root CA`):




The largest CA for my browsing history is Let's Encrypt (`DST Root CA X3`),
followed by `Globalcert` and `Digicert`:


You can export the result to a text file which includes
all certificate information as shown on screen plus their
`PEM` export.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>




#### Where is my Firefox history?

The path to your Firefox profile folder which contains the history file
named `places.sqlite` is:

   %APPDATA%\Mozilla\Firefox\Profiles\

Via Firefox you can click the `menu` button, click `Help` and select `More
Troubleshooting Information`. Under the `Application Basics` section next to
`Profile Folder`, click `Open Folder`, that should also open the folder
containing the `.sqlite` database.


#### Where is my Chrome history?

The path to your Chrome profile folder which contains the history file
named `history` (no extension) is:

   %LOCALAPPDATA%\Google\Chrome\User Data

In some cases the file is in a subfolder named `Default`.

Via Chrome you can navigate to `chrome://version`, then look for the `Profile
Path`


#### A list of domains

If you don't want to analyze your browsing history or use an unsupported browser
you can provide a text file with one domain per line. No `https://` in front,
no path or whatsoever at the back, just the domain.

This file will be sorted and the domains in it queried just as the browser
history would.


### Root Certificates

What is a root certificate? The root certificate is the starting point of a
chain of trust upon which an SSL certificate is issued. The root certificate
belongs to a Certificate Authority.

The root certificate is used to issue intermediate certificates, that in term
make it possible to register SSL certificates for end users. These certificates
inherit the trust level from the root certificate.

Each browser or operating system contains a list of approved root certificates.
Whenever a website is visited over a TLS connection, the validity of the
certificate is checked by verifying the fingerprints of the certificate and the
accompanying intermediate certificate, until the fingerprint of the root has
been reached. This is then checked against the root certificate in the browser.
If these do not match, the certificate will not be valid.

### Should you implicitly trust all certificate authorities?

TL;DR: You, as a technical competent person, no, probably not. Should you go and
remove root certificates from your aunt's iPad? No, probably also not.

In the Twit.tv podcast Security Now, [episode #951]
(https://twit.tv/shows/security-now/episodes/951?autostart=false) ([show notes
here]
(https://web.archive.org/web/20240101114338/https://www.grc.com/sn/SN-951-Notes.pdf))
it was stated that just 7 certificate authorities in total (of around 85)
account for 99% of all currently (late 2023) unexpired web certificates. Let's
Encrypt is at almost half of that (47%) followed up by DigiCert (22%) then
Sectigo (former Comodo, 11%).


The Dutch government has the `Staat der Nederlanden Root CA` (See [PKIOverheid]
(https://cert.pkioverheid.nl/)). (I used to work for a CA operating under that
root, Digidentity). Another sub-CA, [DigiNotar]
(https://en.wikipedia.org/wiki/DigiNotar) was hacked, issuing over 500 fake
certificates.


China has at least 2, `CNNIC` and `WoSign CA Limited`, both of then being caught
issuing [fake certificates](https://en.wikipedia.org/wiki/Root_certificate). In
the past [China has even done BGP hijacking to, allegedly, issue valid
certificates]
(https://web.archive.org/web/20240101123751/https://www.securityweek.com/should-you-be-worried-about-bgp-hijacking-your-https/).

[Here is a list]
(https://web.archive.org/web/20240101112719/https://ssl-tools.net/certificates)
of Root Certificate Authorities. If you never visit anything related to
Venezuela, you might not need to trust ` Sistema Nacional de Certificacion
Electronica `. If you never do any business related to China, or even if you
do, you probably want to remove Chinese and Taiwanese root certificates.


### How to remove (untrust) certificate authorities?

I'm not giving instructions on how to remove certificates. I expect you to be
technical and competent enough to figure that out yourself. **Make a backup
before you start**.

You could break stuff and re-adding them might be hard, so do a bit of research
beforehand.

I also do not want random people breaking their computer. Analyzing your browser
history is fine, ask your local computer expert for help on any further steps.



### What more can you do?

In theory you could add a CAA DNS record that states which Certificate
Authorities can issue a certificate for your domain.

The CAA record is a DNS record type that allows domain name owners extra control
over SSL certificates that can be issued for their domains. You define which CA
is allowed to issue what type of certificates, if any, for your domain. The CAA
record type has been defined in 2013. Although the usage of CAA was quite
common, it wasn't required until recently. Starting from September 2017,
Certificate Authorities are required to check the CAA-record as part of the
issuing process. More info on [CAA records here]
(https://web.archive.org/web/20230925222416/https://www.xolphin.com/support/Terminology/CAA_DNS_Records).


But in practice, a rogue (hacked) CA will of course not check that record and
just issue the certificate. It will also not protect you from trust issues,
since that hacked CA is still trusted by your browser.

You can also set up Certificate Transparency (CT) log monitoring. Each CA must
announce every certificate they are (going to or have ) issued in a public log,
allowing to spot misuse quickly. [Cloudflare offers monitoring]
(https://web.archive.org/web/20240101123809/https://blog.cloudflare.com/introducing-certificate-transparency-monitoring/)
and Google Chrome checks all certificates against [CT logs]
(https://web.archive.org/web/20240101124200/https://googlechrome.github.io/CertificateTransparency/ct_policy.html).




### Future improvements

I'd like to hear from you what you think of this new tool and if it's
helpful. I'm also not really happy with the name, `CertInfo` seems like
way too generic. If you know of any better name, let me know.


In the future I want to add some sort of more exploratory mode,
where you click a (root) certificate and are able to click trough to all
other certs that were signed by it, or its parent. More a graph like structure,
but that was a bit hard to do with Qt/QML.

But please, send me an email with comments!




### License and more information

- License: GNU GPLv3
- Author: Remy van Elst
- [Source on Github](https://github.com/RaymiiOrg/CertInfo)


The app icon is from the KDE Breeze Icon Theme and is licensed under the
GNU Lesser General Public License v2.1

---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.

You are viewing proxied material from raymii.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.