This is a great post, in which the lead security person at Etsy built a system to determine which HTTPS/TLS CA's actually got used in traffic from their office to the Internet. Less than 29% of the CAs their browser trusted actually saw any use!
This sounds like something to be outraged about but is actually constructive good news: if more people repeat the experiment, someone could invest some engineering time into building a tool that would prune out CAs from browser trust stores. Every CA removed from your browser is one less attack vector.
This sounds like something to be outraged about but is actually constructive good news: if more people repeat the experiment, someone could invest some engineering time into building a tool that would prune out CAs from browser trust stores. Every CA removed from your browser is one less attack vector.