SSL Certificate management in Chrome

Discussion in 'other software & services' started by Mover, Oct 15, 2016.

  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    I have 2 computers that have Chrome installed.

    When I open Chrome in both and compare the certificates in there, they don't have the same amount of certificates. Both are running the same version of Chrome, however, one computer is older than the other.

    1) How do I ensure the certificates are all valid and from trusted sources ?

    2)What is stopping sophisticated malware from inserting certificates in Chrome and making use of them ?
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    ssl is outdated and vulnerable - use TLS instead.

    inserting certs is also out of business, google and mozilla decided to use also system certs, its just a 0>1 switch in prefs which can be done from outside (eg from malware)

    check your certs manually - that will help to sort out and understand it a better way.
     
  3. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    I've attached a screenshot of what I'm referring to.

    I'm referring to the actual certificate itself that can be managed under 'Settings' -> Advanced Settings

    I have some certs in chrome on the older laptop that the new one doesn't have. I don't know what would happen if I deleted them.



    upload_2016-10-16_10-26-2.png
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    normally outdated or dropped certs are not used. to lower the amount of certs you can delete those. some are not by default - added afterwards (noticed a lot more of certs in my older firefox profile than in a new one).

    as your pic point out one of MS has expired - can be deleted. but that also points out that chrome (same as opera/vivaldi) is using your system certs - firefox has its own root storage. ok - first answer i was wrong, chrome is already using the system cert store - mozilla is going to do same.

    so you can work on certs using the internet options from system. if you feel uncomfortable with deleting - just dont do, you dont have any disadvatage.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Those are intermediate root CA certificates. Browsers add those on demand from the web sites using them.

    Root CA certificates are the "holy grail" ones.
     
  6. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    So, why not have the intermediate ones cleared out at the end of a browsing session ?

    Whats stopping malware from inserting a bogus Root certificate in the 'Trusted Root CA' store ?

    upload_2016-10-16_20-5-42.png
     
    Last edited: Oct 17, 2016
Loading...