How to know which Certificates to leave in my browser, and which to remove

google-chrome security certificate ssl firefox

I would like to tighten up security a bit, so I am disabling unneeded certs from my browsers. For instance, the "WoSign CA Limited" cert from China I obviously don't need, yet "Thawte Consulting cc" I do.

Is there any way to see which certs I've actually used so that I could start making informed decisions? Take for example "Trustis Limited". On what basis would I decide to keep or leave it. Also, in addition to "Thawte Consulting cc" there is a cert for "thawte, Inc.". Might one be a spoof? How would I know?


Episode #481 of the Security Now! podcast touches on the related subject of Certificate Transparency. The question "which CA's can I trust?" is replaced by "which certificates is known to represent a given site?".

Once RFC 6962 is universally deployed it allows us to detect that the "Hong Kong Post office CA" (aka the Chineese Government) has issued a fraudulent certificate to www.gmail.com which your pre-2015 browser would otherwise happily accept.

The concept that hundreds of CA's are trusted to issue certificates to any site is crazy.

Related

List which VPN clients are connected
Is it possible to process millions of datagrams per second with Windows?
What is the "Software Reporter Tool" downloaded by Google Chrome?
Renaming a bookmark in Word 2010
Google Search hijacked only when not being observed. Attaching a debugger returns normal results
Is my keyboard "Generic 101-key PC" or "Generic 105-key PC (intl.)" or what?
VirtualBox "Auto resize guest display" greyed out
Are there alternatives to TextExpander on Mac OS X? [closed]
Change the origin coordinates in GIMP
View cookies : Keyboard shortcut? Extension?
Are there faster solutions for NTFS on Linux than NTFS-3G?
Update git on mac