Why are these corporate certificates pre-installed and is it safe to delete/"Never Trust" most/all of them?

I was going through this macOS Security and Privacy Guide repo, step by step, and found some good privacy tips. However, when I arrived at the Certificate Authorities section I got a little confused. I don't understand certificates that much and it was a little shocking to find Amazon and GoDaddy certs in my Keychain System Roots.

The guide recommends that I "disable certificate authorities through Keychain Access by marking them as Never Trust and closing the window." So far I followed the advice and changed the Govt. Root Cert. Authority to "Never Trust." I'm still not sure if I should do the same on the rest.

I realize asking for an explanation of what certificates are is a huge question, so I want to simplify it: Why are these corporate certificates pre-installed in macOS and is it safe to delete/"Never Trust" most/all of them?


Solution 1:

Basically certificates are used so that you can say "I got this information from an otherwise untrusted source, but because it has this associated certificate, I'm going to put some trust in it". This is possible because "someone" has done some sort of vetting of these sources.

In practice, a lot of times this means for example a company wanting to open a web shop goes to a certificate vendor (such as GoDaddy you mentioned) and buys a certificate. The certificate vendor will then do some kind of checking before they issue the certificate.

Depending on the type of certificate it might be that they check that the company controls the domain of their web site (such as my-web-shop.com), that they control e-mail addresses (such as [email protected]) - or even checking company registration papers, ensuring that the postal address is correct, etc.

This makes it possible for ordinary users to visit a web site and be somewhat sure that the data they received comes from the intended source.

You might notice that something is missing here - how are the vetters vetted?

This is done by operating system and browser vendors such as Microsoft, Apple, Google, Mozilla, etc. They basically keep a list of certificate vendors that their software will trust by default.

Apple will for example make changes to that list when you update macOS to ensure that it keeps being valid. In addition, you yourself can make your own decisions on adding or removing vendors from the list by changing the trust levels.

Whether it is "safe" or not to remove the trust is a matter of your preference. If you remove the trust of a specific vendor, you will be prompted when accessing web sites that bought certificates from that vendor - stating that the site is not secure. You can usually override that on a site per site basis, but not always.

Note: When I say "bought from a vendor" it doesn't necessarily mean that money was exchanged. Some certificate issuers do not charge (such as Let's Encrypt) and some service providers provide certificates for free with other services.