3

I was asked "how do browsers know whether or not to trust the certificate from the server it's connecting to" and thought it was a pretty good question. After doing some googling I found two answers:

According to this person a list of root content authorities are built into the operating system, and any further CA's are trusted (or not) by the root ones.

Just so you know, Microsoft determines which Trusted Root CAs are automatically loaded into their operating system. It’s the same story with Apple.

However Wikipedia makes it sound like it sound like the list of trusted CAs is built into the web browser:

The browser already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it

So which is it? Does both the operating system and browser come with a built in list of trusted certificate authorities and if a certificate is signed by an entry in either one of the list it's trusted?

Celeritas
  • 10,187
  • 24
  • 85
  • 148

1 Answers1

6

So which is it? Does both the operating system and browser come with a built in list of trusted certificate authorities and if a certificate is signed by an entry in either one of the list it's trusted?

It depends.

Windows and MacOS X come with a their own certificate store filled with the trusted CA and both the builtin browsers (i.e. Internet Explorer or Safari) and Chrome use this CA store. Firefox instead comes with its own CA store and only this CA store. With Android and iOS the situation is similar, although I don't know about the behavior of Firefox on Android.

Linux and *BSD also have a CA store built in but this one is not used by the common browsers. Firefox again uses its own store and on this platform also Chrome uses its own store.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Ok thanks. So to confirm if Firefox is running on Windows, it would still use it's own CA store? – Celeritas Oct 14 '15 at 06:09
  • @Celeritas: as far as I know this is the case. – Steffen Ullrich Oct 14 '15 at 06:16
  • @SteffenUllrich is correct. You can easily verify this using something like Fiddler; it installs its certificate in the system CA store, but not in Firefox's store. IE, Edge, and Chrome will trust it, but Firefox will not (until you also install it for Firefox). – CBHacking Oct 14 '15 at 07:25
  • @SteffenUllrich: You say *nix systems have their own cert store... where is this stored? I'm not familiar with any system-wide one. I mean, you could put a .PEM file in /etc somewhere and call it the root CA list, and maybe some OpenSSL or GNUTLS packages do that, but that doesn't mean that it's built into the OS, and I don't know of any system APIs for accessing a trusted certificate store. – CBHacking Oct 14 '15 at 07:28
  • Since Vista, Windows actually comes whith a very reduced list of trusted root and dynamically downloads new roots on the fly as needed (more or less): http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/ – Stephane Oct 14 '15 at 09:10
  • @CBHacking: on *nix you usually have some /etc/ssl or similar where you have either a directory with the CA (Linux) or a file with the CA (OpenBSD). This is usually also the default path for OpenSSL, so tools like wget, curl etc use it. But common browsers like Chrome and Firefox don't use it. – Steffen Ullrich Oct 14 '15 at 09:39
  • If a CA isn't listed in Firefox does Firefox then fall back to use the operating system, or no? – Celeritas Oct 14 '15 at 21:35
  • @Celeritas: There will be no fall back. Please also check the comment from CBHacking for this. – Steffen Ullrich Oct 14 '15 at 21:44
  • I actually don't quite follow @CBHacking explanation "it installs its certificate in the system CA store, but not in Firefox's store" what does it refer to, Fiddler? I didn't know any program can install a new CA, and that is what this question is asking. – Celeritas Oct 15 '15 at 00:25
  • @Celeritas: Yes, Fiddler installs its "fake" CA certificate in the Windows "Trusted Root Certificate Authorities" store. This process will trigger a warning message you need to approve. The reason Fiddler does this is so that, when a proxy client (like a web browser) tries to open an HTTPS site, Fiddler can sign a "fake" certificate for that site and the client will trust "that site's" certificate (because it chains to a trusted one - the one that Fiddler installed). – CBHacking Oct 15 '15 at 00:30
  • 1
    IE, Edge, Chrome, and (I think) Opera will all trust those Fiddler-generated certificates, because those browsers use the Windows certificate store and will see that Fiddler's certificate is from a "trusted certificate authority". Because Firefox doesn't check the Windows cert store, Firefox won't trust the signature on a certificate that Fiddler created. If you want Firefox to trust Fiddler's certificates, you need to import the Fiddler CA certificate into Firefox's own store of CA certificates. – CBHacking Oct 15 '15 at 00:33