"Certificate Authorities" How do they load onto a machine/ what's the best way to clean them up?

[sangfroid]

I reread the whole “protect your computer” sticky, and saw no mention of certificate validation, so here’s my question:
I use the current Firefox version, Windows 7, and went into the “tools>options>advanced>encryption>view certificates” area of Firefox and saw a laundry list of certificates, of which more than a few seemed of dubious origin.

The top of the list states the following:

“You have certificates on file that identify these authorities”

Here’s one:
“Turktrust elektronik sertifika” (?) Yeh, right.

Others are recognizable (e.g. Microsoft)

They are all listed as either:

Builtin object token, or
Software security device

I run current antivirus, malware, etc., and have had no problems at all, so my concern is more like - just what the heck are all these certs., how did/do they arrive, and can I delete the more obvious ones I don’t recognize without issue? (there is a permanent delete option)

I generally don’t browse to questionable sites, and my overall computer hygiene is pretty good, I think. Read the Wiki on certs (confusing and unclear, sayeth the little wiki broom -needs clarification), and Google wasn’t much help either.

Can someone clue me in on what’s up here?

Thanks for any insight.

[The_Librarian]

As I understand the process:

Certificates are used by sites to “prove” that they are the site they claim to be.

If you go to httpS://yourbank.com your browser is presented with a “certificate”, then your browser checks with the corresponding “authority” that this site and this certificate go together.

Authorities have to be approved by your browser.

There is nothing to clean up. (the actual files are relatively small)

Most “Authorities” have obscure names you wouldn’t recognize.

[kombatminipig]

I am actually a professional in this field, but I’ll try to explain as simply as I can:

There are a certain number of entities out there known as Certificate Authorities (or CAs), both private (like Verisign or Comodo Group) and government. These are what’s known as trusted third parties. The other two parties in this case are your browser (and you by extension) and whatever site you’re visiting, such as your bank or Facebook, basically any site that uses encryption (which you can see by the https in the address bar) to communicate with you in order to protect against eavesdropping and interception.

Before the two of you begin communicating over a trusted channel identities have to be confirmed though, which you on your end may do with a password (or more complex means) while the site has their identity confirmed using a certificate issued by a CA. So basically the bank passes the certificate to your browser, and your browser verifies that certificate with the CA that issued it. If a certificate doesn’t check out, or if the CA that issued it is unknown to your browser, then the browser will give you a warning and urge you not to continue.

The list of approved CAs is actually maintained by your browser vendor (and may change with time, as new CAs appear and other CAs may be considered untrustworthy by the browser vendor).

The list you were reviewing are certificates from sites you’ve visited. Having them loaded in your browser does little harm, it’s simply a cache, and most will be automatically loaded the next time you visit the site (not all sites care who you are, they just want to confirm who they are).

[Reply]

It should be noted that:

1. Removing certificate authorities yourself is not a good idea unless you want to break random https websites. Removing certificates issued by those authorities is probably fine, as kombatminipig said.

2. Browser vendors aren’t necessarily good or timely about identifying and removing untrustworthy CAs. (Wikipedia mentions several past incidences.) You can gain an additional layer of protection with the Electronic Frontier Foundation’s HTTPS Everywhere plugin using its “Decentralized SSL” feature. The EFF is a non-profit that works on online privacy and freedom. The Decentralized SSL feature submits your viewed certificates to them and lets them warn you about potential rogue certificates and CAs, possibly before the browser makers react; the tradeoff, of course, is that you have to trust a plugin from the EFF. Another side effect is that the plugin will, by default, try to enable HTTPS browsing for a bunch of websites (Google, Facebook, Wikipedia, etc.) It’s normally safe to leave that on but you can turn it off if you want to.

[Ximenean]

It’s called a “chain of trust”; you visit www.acme.com, and it presents a HTTPS certificate verifying that it really is the website of Acme Inc. But why should you trust the certificate? Well, the certificate is “signed” by another party such as Verisign, to verify that they did issue it to Acme Inc. How do you trust that that the signing party really is Verisign? They have a signed certificate too - signed by themselves. In other words, there are certain CAs out there who people generally trust enough to verify their own identity and so form the root of the chain of trust. Sometimes there are several steps before you reach the root certificate.
Browsers come with the trusted root certificates of certain well-known CAs included. Apparently, Firefox includes TurkTrust as a root CA - looks like TurkTrust applied to Mozilla to be included, and it went through some sort of verification procedure. If you decide that you don’t trust them, you should be able to remove the root certificate, but that would break the trust chain for any certificate ultimately signed by them.

[sangfroid]

Thank you all for the replies. I guess my confusion about these certificates was largely in how they arrive on a machine in the first place, and that seems to have been answered. I was unaware that browsers were (somewhat) at the core of the process. Thanks for clarifying that.

Still not sure where that “Turktrust” came from, though. Perhaps I accidentally browsed through to some odd page and acquired it that way.
Thanks again for your collective responses.

[Ximenean]

sangfroid:

Thank you all for the replies. I guess my confusion about these certificates was largely in how they arrive on a machine in the first place, and that seems to have been answered. I was unaware that browsers were (somewhat) at the core of the process. Thanks for clarifying that.

Still not sure where that “Turktrust” came from, though. Perhaps I accidentally browsed through to some odd page and acquired it that way.

The TurkTrust certficate comes as standard with Firefox. I just checked my copy of Firefox and it has the TurkTrust certificate too, along with a load of other CAs I’ve never heard of but which Mozilla has presumably vetted.
If it worries you, you can go into the Firefox Options, select the certificate and click Delete or Distrust. It wouldn’t worry me, though.

[kombatminipig]

Ximenean:

The TurkTrust certficate comes as standard with Firefox. I just checked my copy of Firefox and it has the TurkTrust certificate too, along with a load of other CAs I’ve never heard of but which Mozilla has presumably vetted.
If it worries you, you can go into the Firefox Options, select the certificate and click Delete or Distrust. It wouldn’t worry me, though.

Indeed. TurkTrust seems to be one of the CA entities I mentioned before. I doesn’t necessarily need to be a Turkish site which has its certificate issued from there, it’s just an international company which functions as an authority. Private entities (whose websites you visit) pay TurkTrust for certificate issuance.

So I’d say leave it. If FireFox trusts TurkTrust, that’s good enough for me (though the EFF plugin) is a good additional layer of safety. Any CA can be compromised, after all.