Helping people with computers... one answer at a time.

Understanding certificates in your browser is tricky and deleting them not recommended. They are "by definition" supposed to be secure.

Looking around at my Firefox tools, I decided to look at the certificates listed there out of curiosity. Many don't make sense including a number that appeared to be from Turkey. Is there a way to know which ones should be allowed and which ones should be deleted? I use Vista, 32 bit.

In this excerpt from Answercast #79, I look at the numerous root certificates that are included in browsers and recommend that people don't delete them.

Understanding certificates in my browser?

Ultimately, no. The problem is this: these are called the "root certificates." These are the certificates that your computer trusts by default.

We make the assumption that the browser manufacturer (in your case, Firefox) or the operating system vendor (Microsoft in the case of Windows, or Apple in the case of Macintosh's OSX) have somehow vetted and secured the default set of root certificates that are included - with whatever software it is they're providing (like I said, the operating system, or sometimes in Firefox's case, the browser.)

Yes, there are many and they might not make sense to you and me. In fact, I would claim that the vast majority are never used.

The results of deleting certificates

The issue is that they might be! You don't know necessarily who the signing authority is, who it is, that is securing or authenticating an https website when you visit that website.

If, for whatever reason, you visited a site that happened to get to their secure certificate from a certificate authority that originates with that Turkey certificate, then you would not be able to connect to that site and know that it was secure. You would probably still be able to connect to it, but you would get a warning every time you did if that Turkey certificate were not installed on your machine.

Now, yes, I agree. Turkey - pretty darned unlikely.

Depending on what browser you're looking at, there may be something like 200 different certificates that come pre-installed with the browser or with the operating system. Those are to support the browser and the operating system when working in all these different places - where people are accessing sites that are very legitimately getting their http certificates signed by all of these different signing authorities.

Don't remove certificates

In my opinion, it's way more effort, way more work than it's worth, to go through and remove ones that you're uncertain of.

For many, the risk is pretty low. You're not going to have a problem if you remove it. For some, like I said, you're gonna find out that, "Oh, gosh! When I visit such and such site, well, they originate in Europe... and this one certificate authority that I just deleted because I didn't understand it? That's the one they needed!"

Getting them back in gets to be a little bit problematic.

So my recommendation is yes, it's an interesting curiosity. It does reflect what I consider to be a weakness in the SSL and https system, but it is not something that I recommend generally that people go in and play around with.

They are all by definition supposed to be good. They are all by definition supposed to be trustworthy.

I say "by definition" because of course depending on the situation, you may feel otherwise - but that's the intent of the system and I wouldn't recommend messing around with it until (or unless) we have a specific problem we're trying to resolve that would involve that.

(Transcript lightly edited for readability.)

Article C6144 - December 17, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.