What are trusted credentials?

bartenderstoneware

security - more security settings - encyption & credentials

bereft_penguin

They are CA certificates, it is not advisable to add any certificates as it substantially increases the attack surface. However, they are sometimes required to connect to enterprise networks or to enable ssl encryption for a self hosted server etc. Just leave them alone unless you absolutely have to add one, and if you have to, do so with extreme caution.

bartenderstoneware

bereft_penguin

what is with delete one like amazon?

matchboxbananasynergy

bartenderstoneware Do not delete any of them. You will cause issues. This is not a setting that you should be playing around with if you don't know what you're doing, like the member above said.

Please leave it as is or you'll have issues and we won't know what you've done to help you revert it.

Zakirya

bartenderstoneware
Does grapheneos users get forced to trust someone like amazon for their certificates, and why can't we be without these? @GrapheneOS

bartenderstoneware

matchboxbananasynergy

thanks

thmf

Zakirya Does grapheneos users get forced to trust someone like amazon for their certificates, and why can't we be without these?

You're not forced to trust "someone like amazon", it's your device and you're free to remove their root certificates, but a good chunk of internet and internet based apps will stop working for you once you do that. As matchboxbananasynergy said, it will be very hard to help you to undo this.

dhhdjbd

just wondering, is there any security feature/ guarantee that i have the correct CAs?

I mean as in while they are shipped with the os, since they are changeable, they are not part of verified boot.

So could not in theory someone like change them and for example exchange the trusted amazon CA for a fake one (or just add one)? and then in a later attack send me to a fake website/ man in the middle my connections?

Is there something like appverifier for this?

(or do apps never have these permissions)

(I mean i have heard about a chain of trust for these before, do they like certifie each other? With some root os CA at the top?)

de0u

dhhdjbd just wondering, is there any security feature/ guarantee that i have the correct CAs?

I mean as in while they are shipped with the os, since they are changeable, they are not part of verified boot.

Are they changeable? A toggle to disable one isn't the same as the ability to change the contents.