I wonder just how many certs I'd notice failing if I pulled Symantec's root out of my keystore - and if I'd get any mileage contacting the sites that end up broken and explaining why.
This is exactly the sort of thing I'd like to have the "CA death penalty" seriously considered against Symantec - but I fear they're going to be judged "too big to fail". A grass roots campaign of contacting sites (especially sites I've got paid accounts with) saying "Sorry, I can't use your site anymore because I've had to disable Symantec's root keys (see this link for reasons), can I please cancel my billing." might be the only thing I can do.
(Oh, and joy! https://www.apple.com is secured by a Symantec cert for me right now. How much would you bet against all my Mac OS X and iOS software updates also being "secured" that way?)
What I would really like to see is a curated list of CAs and intermediates instead of the huge list my browser currently trusts. Preferably a browser extension like EFF's Privacy Badger, to make it easier to use.
I have gone into Firefox's settings and deleted random certs like the Hong Kong Post Office and this didn't break any of the sites I use, but all certificates are re-installed each time Firefox updates.
Thinking more globally, someone living in Hong Kong might prefer to keep the Post Office one but distrust all American CA's from their browser and they should be accommodated too.
Imagine treating the set of trusted CAs in your browser just like your ad blocker's filter list. You would damn sure need a trustworthy curator to maintain that list, but it seems doable (in my admittedly non-expert and humble opinion). Does such a thing exist? Moxie's Convergence extension is the closest thing to it that I'm aware of: https://en.wikipedia.org/wiki/Convergence_%28SSL%29
> but distrust all American CA's from their browser and they should be accommodated too.
Even a (mainland) Chinese user won't be able to distrust American CA's and still browse the Internet fine, and it is known that China's network is one of the most isolated one on earth filtered by the GFW. For example, Baidu's certificate is signed by Verisign, Taobao by GlobalSign, QQ by GeoTrust. All of those certificate authorities all headquartered in the United States.
CA's like Symantec is just too big to fail, even if your proposal is implemented.
Maybe a browser extension that generates this email automatically to automatically send to the screen-scraped contact-us web email address/form? "Hi, I use bigiainDisconnectAdblockPlus-thingy and just wanted to let you know I didn't visit your site because I can't trust your certificates, which come from Symantec. Here's the fingerprint of that cert xxxxxxxxxxxxxxxxx and here's why I can't trust it <link to explanation/tirade/manifesto>"
This is exactly the sort of thing I'd like to have the "CA death penalty" seriously considered against Symantec - but I fear they're going to be judged "too big to fail". A grass roots campaign of contacting sites (especially sites I've got paid accounts with) saying "Sorry, I can't use your site anymore because I've had to disable Symantec's root keys (see this link for reasons), can I please cancel my billing." might be the only thing I can do.
(Oh, and joy! https://www.apple.com is secured by a Symantec cert for me right now. How much would you bet against all my Mac OS X and iOS software updates also being "secured" that way?)