Trusted credentials?

I have hundreds of trusted credentials in my phone - a few I recognize like VeriSign but others are from, like 2005 TURKTRUST Bilgi… and other alien names. I can’t find a way to delete or turn off, but do I need to? Where did these come from?

1 Like

Glad you asked. Hopefully someone can enlighten us!

3 Likes

How does this differ from what I find on my Moto X Pure Settings/Security/Trusted credentials? I can un-check as I wan’t or via another provided link clear them all to start over

That’s what this article is written for, Settings > Security > Trusted credentials (although the menus and options change a bit between Android versions and permission levels).

Sorry, only did a quick glance and assumed it was YAA (yet another app) :slight_smile:

@cbwahlstrom & @jben,

The article didn’t mention the menu option to Clear credentials. Are there any +s or -s to occasionally clearing all of them or warnings we may offer members. Thanks.?

:flight_departure:

My rule is if it ain’t broke, don’t break it.

I don’t see an article link. Can you answer my question about “do I need these?” Anyway too late as I deleted them all. I thought when a new credential was encountered, the device would ask to accept or decline - at least for a regular computer - is that wrong? And where the f___ did those foreign ones come from? - l don’t even recognize the language.
Thanks if you can provide a little more light.

The article is at https://tamingthedroid.com/trusted-credentials. It does a good job explaining why you have these trusted credentials. The reason you have non-US entries is that the internet is international, and not all security certificate authorities are US based.

1 Like

One can generally remove certificates from the “User” section without harm as the apps that installed these certificates will generally prompt to do so again if removed.

Removing CA’s from the System section can cause the phone to be unable to recognize and therefore refuse to establish a secure connection to certificates issued by that CA. You really shouldn’t mess with these unless there’s some major news that a CA has become untrusted.

1 Like

If a certificate authority is ever revealed to be untrustworthy or has their systems compromised, it tends to become fairly big news; these are the trusted companies that the internet relies upon for the basis of verifying authentication and any loss of trust in these companies is fairly important news for browser makers

What harm is there to removing the others? Are they added back as the browsers do their job of checking certificates?

Probably not big news to most folks and few of us make browsers. Who would pass this news along to RW members?

Thanks.

:flight_departure:

No, that’s not how it works. The CA’s being there is what tells your browser that the CA is trusted. It has no other way to verify. Uninstalling and reinstalling the browser will bring along the standard certificate authorities.

Pass what news to RW members? There’s no news here. You want Republic to send a note out that says: “Please don’t click through menus on your phone and find things you don’t know about and then change the settings there?”

1 Like

What happens if the browser isn’t uninstalled? Does it just stop working?

The big news that the esteemed link suggested we may hear about if an credential should be removed.

Not all members are experts so some some explanations may be warranted when atypical subjects pop up. Other members may read this. Is @arlieh going to encounter issues after the deleting them all? If we should not touch a particular setting menu item under discussion this is the perfect time to say so in a simple way.

:flight_departure:

If one encounters a certificate issued by a deleted CA a warning will pop-up telling the user the site isn’t trusted. The user will then have to jump through hoops to bypass the warning and the ensuing session may not be encrypted.

Ah, understood. Yes, I assume it would be shared widely and this sort of breach would also be widely reported in the press. In addition, the next update of any of the major browsers would remove/invalidate the certificate.

I’m still not clear if the deletion was of the system certificates or user certificates. If the system certificates see my first answer regarding what happens.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Message an
Expert customer