For folks discovering this: Unfortunately, this isn’t a good idea, and can seriously harm your system.<p>I’ll be the first to tell you that I believe Google and Mozilla have done a lot for supervising TLS, but realize that the trust stores contain many other non-TLS purposes, and with the CAs constrained from TLS issuance (e.g. only trust for S/MIME).<p>CryptoAPI, for its warts, is actually beautifully engineered, in that Microsoft has had the ability to add arbitrary constraints and properties to certificates from the very first release (via CERT_PROP_IDs). You don’t really see these in the UI; you only find out about them in WinCrypt.h, or via debugger stepping. However, it means that even if the UI is showing “trusted for TLS”, Microsoft may have disabled trust for TLS via the extended properties, which their APIs respect, and which are delivered through authroots.cab<p>You can see a little bit about this at <a href="https://github.com/crtsh/certwatch_db/issues/69" rel="nofollow">https://github.com/crtsh/certwatch_db/issues/69</a> and <a href="http://unmitigatedrisk.com/?p=259" rel="nofollow">http://unmitigatedrisk.com/?p=259</a><p>Approaches like the OP link fail to take that into consideration, and can easily break core OS services, non-TLS cases like code signing or S/MIME, or even reintroduce trust in CAs that Microsoft has programmatically disabled.
I love how the author asks the reader to implicitly distrust the OS vendor, but then also to implicitly trust their random software. Seems legit to me.
For reference. I can’t actually find a list of Google’s right now.<p>Mozilla: <a href="https://wiki.mozilla.org/CA/Included_Certificates" rel="nofollow">https://wiki.mozilla.org/CA/Included_Certificates</a><p>EDIT: and yes, it would have been nice for the author to link directly to these... Google clearly has their own, but obviously there’s some debate about what that means.
OK, so let's continue this trend and we end-up trusting just one. So we concentrate the entire internet power into just one hand. Because it's such a good idea, right?
" Windows trusts 322 root certificates issued by 122 different organizations"<p>I think this is a good point I would never trust 122 people in my life with my bank-account details. But if I
trust my browser it seems that is exactly what I'm doing.<p>Isn't there a better way?
The Problem, with distrusting them all Root CAs and accepting it back into the fold one-by-one, is simply that you don’t know if that trusting Root CA in question has signed off some other but malicious sub-CA(s).
fun related certificate fact, TIL that Linkedin's share does not seem to support any of the dutch government certificates - <a href="https://www.linkedin.com/post-inspector/inspect/https:%2F%2Fwww.rijksoverheid.nl%2F" rel="nofollow">https://www.linkedin.com/post-inspector/inspect/https:%2F%2F...</a><p>(I wish they wouldn't bother with all the EV certificates and just accept LetsEncrypt. So much manual work for broken certificates that need to be replaced whenever the CA messes up the trust bits or Iran hacks the certificate providers again)
In direct contrast to this article, I've had to specifically set `security.enterprise_roots.enabled` to true on Firefox because completely legitimate sites were not trusted.