Root CA Trust
Discussions focus on how browsers and OSes handle trust in root certificate authorities, including manual installation of custom CAs for corporate traffic monitoring, MITM attacks, and challenges with trust stores and certificate pinning.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Browsers always trust manually installed CA roots, because that scenario is used by many corporations to monitor their traffic. OCSP, HPKP, etc won't help.
If the savvy want this they can already have it, it's just a matter of removing the certs from the browser's CA store.
IIRC one cannot tell the browser to not trust root CAs, that's why all the fuss.
Really, how?? Wouldn't that require the installation of a custom root certificate on every client?
I might be interested - is your root cert in all common browsers/OSs?
it depends on your use case, but yes you would probably need to load at least your browser with your own CA. Itβs a good hygiene to manage your own keys though
Application doesn't even need to use root CAs from system, it can ship its own; the problem starts when you try to make system browser part of your app
Can't we just remove their root certificate from the trust stores then?
As opposed to what? Using the OS's trust store? Getting the user to manually trust CAs?
Why can't they just install their own self signed root ca on all their computers and continue MITM it?