A theory on why most browsers control their own list of CA roots

January 6, 2010

As part of the ipsCA failure, a number of people are noticing that most browsers keep their own list of CA roots, instead of deferring to whatever system-wide list your operating system keeps. There are at least three ways to explain this, depending on how cynical or optimistic you are.

The first is that it is the natural outcome of a ruthless but completely uneven Darwinian struggle for influence (and the benefits it brings) between SSL CA vendors, browser vendors, and OS vendors. Since browser vendors ultimately hold all of the cards in this, they won; how SSL works, including who controls what certificate authorities are trusted (and thus which of them get to make money and who goes bankrupt) is something that they dictate.

(Note that IE 8 is not an exception here; while it uses the Windows list of CA roots, it's written by the same people (well, the same company) as the OS, so the two are effectively the same. Safari and MacOS X is the same way. Chromium is an interesting exception, but Google probably was uninterested in stepping into the SSL snakepit.)

The second and more optimistic view is this has happened because it is the browser that is ultimately on the hook for who they trust. Regardless of who is really at fault, people will not say 'Windows trusted this evil site with a certificate from a bad CA vendor', people will say 'Firefox trusted this clown'. When you are being blamed for things that goes wrong, you have a natural motivation to control it so that you can do something about it.

(Or the shorter version: if you're going to get blamed for it anyways, it might as well actually be your fault.)

The third is that this is at least partly a relic of both the development history of these browsers and, for many of them, their cross-platform nature. Not all operating systems supported by browsers such as Firefox and Opera have any concept of an OS-level CA root list (especially back at the time of their early versions), and so those browsers necessarily have to have their own list on some platforms. Once you are going through the work to have your own list of trusted CAs on some platforms, you might as well do it on all of them (it's less code overall). As a bonus, you make your browser behave the same on all of the platforms that you support; imagine the fun of a bug report of the form 'Firefox accepts this https website on my Mac, but not on three out of five of my Windows machines'.

Written on 06 January 2010.
« The department's model for providing computing support
Interesting things can happen when you scale things up »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jan 6 23:38:05 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.