Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Moxie Marlinspike had a talk on exactly this issue many years ago now (maybe 2010-2012). Not much has changed since then


The WebPKI is drastically different than it was in 2012. Browsers all run their own root program. Certificate Transparency was not only launched (in 2013) but is now effectively mandatory for all CAs. Some of the largest CAs in the ecosystem were surveilled, had misissuance detected, and were put to death by the browsers. In 2010-2012, companies were still being sold CA:TRUE certs so they could intercept traffic on their own networks; now that would get your whole signing CA burnt.

It's OK not to pay any attention to the WebPKI! It's a whole specialized thing. But that's what you'd have to do to reach the conclusion that "not much has changed". The years following 2012 were the most momentous in the history of PKI.


> Browsers all run their own root program.

Do they?

I believe Firefox allows OS-level root CAs in addition to their built-in ones (not sure if that includes OS-provided ones or is limited to local administrator/user installed ones).

Chrome used to defer to the OS-provided one entirely, but it looks like it now has its own store and ignores OS-provided CAs (but does accept admin-provided ones).

Hm, the more I look at this... It seems like they do, these days :) At least the large ones; I doubt that smaller browsers such as Opera, Brave etc. have their own trusted root program.


Opera do. Cisco have their own. Oracle do (for Java, primarily) but tend not to participate in CA/B Forum much. Brave did previously have something of a root program - not sure if they still do or if they track Moz and/or Chromium. Quihoo 360 (China) have a root program, too. There are certainly other 'smaller' ones.


Interesting, although I do still suspect that the trend is to just piggy back onto one of the large well-respected ones.

For example, I do believe that Opera used to have their own (while they were still doing well), but they seem to be using Chrome these days [1]:

> Opera considers certificates presented trustworthy only when they either have a certificate chain that can be validated up to a Root CA certificate included in the Chrome Root Store or a certificate explicitly configured to be trusted by the user.

[1] https://security.opera.com/en/webpki-trust-anchors/


Certificate Transparency is pretty significant, arguably! It makes bad behavior much more transparent, at least.


Yeah, it really increases the cost of abusing the CA system, a lot.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: