- All browsers use a ‘certificate store’ which contains the list of trusted root CAs.
- The certificate store can either be provided by the OS, or by the browser.
- On Windows, Chrome and IE use the operating-system provided certificate store. So they have the same points of trust. However, this means that the trust list is governed by the OS vendor, not the browser. I’m not sure how often this list is updated for Windows XP, which is still used by 50% of the world’s internet users.
- On Mac, Chrome and Safari use the operating system provided store.
- On Linux,
there is no operating system provided certificate store(see /etc/ssl/certs), so each browser maintains its own certificate store, with its own set of roots.- Firefox, on all platforms (I believe, I might be wrong on this) uses its own certificate store, independent of the operating system store.
- Finally, on mobile devices, everyone has their own certificate store. I’d hate to guess at how many there are or how often they are updated.
From comments:
"Python2.7's standard urllib2 module does not validate server certificates. Instead, we recommend using the "requests" or "urllib3" modules in python2, or the standard http.client.HTTPSConnection class in python3, and giving them a reasonable list of CA roots"
No comments:
Post a Comment