I'm on FF 36.0 on Kubuntu 14.10 - I removed the certs for CNNIC and then to test went to the CNNIC website and rewrote the address as https. Website still shows the lock symbol and still shows the cert verified by the CNNIC root CA?!? Seems the removal is slightly glitchy somehow, third time worked.
2 things I notice:
1) there are a lot of default trusted suppliers, seems that this should perhaps be selected on install (trust all or trust local [geographic] or trust by selecting regions).
2) that unlike with cookies you don't get a record of how often a certificate (or CA) has been used - so I can't tell from looking at the certificate information FF holds whether I've ever used the dozen or so Turkish certs for example; this seems like useful information for users that's not being displayed. I only use Turkey as an example because I don't use Turkish websites [I barely know a handful of Turkish words] nor AFAIK any Turkish company's English language sites.
Why would I need to trust geographically and linguistically distant CA's by default? If I decide to do something with a .cn site that needs a https connection it seems that I should be able to get info like "these CA - you already trust - in turn 'trust' this CA which certifies the site you are accessing". That along with any warnings the browser wants to give on malware or phishing then would feed in to a decision to accept the cert and interact "securely" with the site in question. The sites I actual need secure transactions with are probably certified by less than a dozen CA; trusting hundreds by default then seems poor security practice [to this layman].
Etsy built a tool to log CA certs at their network perimeter [1]:
During the two months we’ve had CAWatch in operation,
we’ve seen only 61 unique CA certificates cross the
wire. This accounts for slightly less than 29% of the
212 total CA certificates installed by default in our
standard build
If I'm understanding the meaning of "Bin Number" right, not all of the 0s are surprising. But some are. For instance, the AOL CA hasn't been used to sign any certs that have been seen. (I guess, in a sense, that's not really surprising...)
I'd be cool if someone better at front-end than I could present the data with useful labels, and also mark each CA by whether it's in the non-Mozilla roots.
You can look at the local telemetry for your current Firefox session, including this variable, by going to about:telemetry, which sort of gets you what
pbhjpbhj was looking for, albeit in an inconvenient and limited fashion.
It is true that the sites people actually need secure transactions with are certified by less than a dozen CA. The problem is those dozen CAs are not the same dozen CAs.
2 things I notice:
1) there are a lot of default trusted suppliers, seems that this should perhaps be selected on install (trust all or trust local [geographic] or trust by selecting regions).
2) that unlike with cookies you don't get a record of how often a certificate (or CA) has been used - so I can't tell from looking at the certificate information FF holds whether I've ever used the dozen or so Turkish certs for example; this seems like useful information for users that's not being displayed. I only use Turkey as an example because I don't use Turkish websites [I barely know a handful of Turkish words] nor AFAIK any Turkish company's English language sites.
Why would I need to trust geographically and linguistically distant CA's by default? If I decide to do something with a .cn site that needs a https connection it seems that I should be able to get info like "these CA - you already trust - in turn 'trust' this CA which certifies the site you are accessing". That along with any warnings the browser wants to give on malware or phishing then would feed in to a decision to accept the cert and interact "securely" with the site in question. The sites I actual need secure transactions with are probably certified by less than a dozen CA; trusting hundreds by default then seems poor security practice [to this layman].