Jump to content

Browser Certificate Stores

Lost In Cyberia

Recommended Posts

Hey everyone,

I was curious as to why browsers like Firefox have their own list of trusted certificate authorities? Internet Explorer, Chrome, and Safari don't have their own list of trusted authorities right? Are these trusted lists stored on the OS then that they use? Why does FF have it's own list?

Link to comment
Share on other sites

This may assist you in understanding.

Trusted certificates are typically used to make secure connections to a server over the Internet. A certificate is required in order to avoid the case that a malicious party which happens to be on the path to the target server pretends to be the target. Such a scenario is commonly referred to as a man-in-the-middle attack. The client uses the CA certificate to verify the CA signature on the server certificate, as part of the checks before establishing a secure connection. Usually, client software —for example, browsers— include a set of trusted CA certificates. That makes sense inasmuch as users need to trust their client software: A malicious or compromised client can skip any security check and still fool its users into believing otherwise.

The customers of a CA are server administrators who need a certificate that their servers will present to clients. Commercial CAs charge to issue certificates, and their customers expect the CA's certificate to be included by most web browsers, so that secure connections to the certified server work smoothly out of the box. The number of web browsers and other devices and applications that trust a particular certificate authority is referred to as ubiquity. Mozilla, which is a non-profit organization, distributes several commercial CA certificates with its products.[1] While Mozilla developed their own policy, the CA/Browser Forum developed similar guidelines for CA trust. A single CA certificate may be shared among multiple CAs or their resellers. A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.

Aside from commercial CAs, some providers issue digital certificates to the public at no cost; a noteworthy example is CAcert. Large institutions or government entities may have their own PKIs, each including their own CAs. Formally, any site using self-signed certificates acts as its own CA too. At any rate, decent clients allow users to add or remove CA certificates at will. While server certificates usually last for a rather short period, CA certificates last much longer,[2] so, for frequently visited servers, it is less error-prone to import and trust the CA that issues their certificates rather than confirm a security exception every time the server's certificate is renewed.

A less frequent usage of trusted certificates is for encrypting or signing messages. CAs issue end-user certificates too, which can be used with S/MIME. However, encryption requires the recipient's public key and, since authors and recipients of encrypted messages presumably know one another, the usefulness of a trusted third party remains confined to the signature verification of messages sent to public mailing lists.

Source: http://en.wikipedia.org/wiki/Certificate_authority

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...