AnsweredAssumed Answered

State institutions being it's own CA and graded with F

Question asked by j-mailor on Feb 14, 2014



I have searched some state institutions web sites with and how well they have implemented SSL protocol. One of the most interesting thing is on ssltest they are all rated with F because they use not trusted certificate. Actually they are using a certificate issued by a state CA that is not included in browser as trusted root CA.


In this case user has to import a CA into browser (e.g. Firefox - I understand the risk and add the certificate).


I know this kind of manual adding the certificate to browser certificate store poses MITM-risk, but it is also not expected that state CA will be in browser certificate store.


In my humble opinion end-users should NEVER manually import certificate, because this is just risky and most of the end-users are not security experts to understand the risk. How do you think state CAs should act to stop this manually import madness?