Intrepidus Group
Insight

Finding Which Root CAs You Actually Use

Posted: September 2, 2011 – 10:23 am | Author: | Filed under: PKI, ssl, Tools

With all the recent talk about fake SSL certs issued by root-level Certificate Authorities at Comodo and DigiNotar and so forth, I thought it’d be interesting to run a little experiment. One thing that these compromises have highlighted is the huge number of root certificate authorities in modern operating systems and browsers. But how many of those are actually in use? How many sites that I visit are certified by each of the roots?

On my OS X Lion install, the Keychain app tells me that I have 175 different roots installed. Some of them are pretty obvious (Verisign, etc.) but some are..well…probably NEVER going to be used by me, ever. Some have suggested that people simply delete root certs for various foreign entities (like CNNIC). But blindly deleting roots could mean that many sites you regularly visit suddenly stop validating.

So I wrote a simple python script. (I briefly considered writing it in perl, just to annoy an office troll, but sanity prevailed).

What this does is go though my Google Chrome “History” file. That’s a SQLite3 file, located in ~/Library/Application\ Support/Google/Chrome/Default/. It finds all URLs which start with “https://”, and calls the command-line OpenSSL utility to show the certificate chain retrieved when contacting that site. Then it sorts them all and outputs them grouped by CA.

Here’s a snippet of the output, run against my history:


Root CAs Used by Hosts in Cache File
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
    tools.usps.com
    www.facebook.com
    www.icloud.com
    donotcall.gov
    complaints.donotcall.gov
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    docs.google.com
    accounts.youtube.com
    plus.google.com
    picasaweb.google.com
    encrypted.google.com
    chrome.google.com
    adwords.google.com
    bitbucket.org
    gitorious.org
    sites.google.com
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
    discussions.apple.com
    www.usps.com
    help.apple.com
    login.yahoo.com
    fbcdn-sphotos-a.akamaihd.net

It’s pretty simple. And the script itself is a pretty ugly hack. But the output of the script, coupled with some simple grepping and wcing, tells me that out of 93 different SSL sites I’ve visted in the past (howeverlong Chrome keeps history for), they were represented by only 20 different root CAs. Another consultant reported 24 CAs over 292 different domains. I also ran the list against the first 250 reachable hosts in Alexa’s “Top Internet Sites” list, and found only 25 different root CAs in use.

Using the script is simple:

python findroots.py [options]
Options:
  --chrome <filename>
  --firefox <filename>
  --list <filename>

Use –chrome to read a History file from Google Chrome, –firefox to read a places.sqlite file from Mozilla Firefox, and –list to read a plain text file listing of hosts, one host per line.

Click here to download the script: [download id="274"]

Both comments and trackbacks are currently closed.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24367 items have been purified.