google chrome – How to check if certificate authority certificates have been unofficially installed to prevent MITM attacks

I was reading this article about the amazing frequency of MitM attacks when using HTTPS. About 18% of HTTPS connections are detected as intercepted by MITM proxies. As the big paper says:

To work around this validation, the local software injects a self-signed auto-signing certificate into the root store of the client browser during installation.
[…]
Contrary to popular belief, pinning by public key [19]- an HTTPS feature
that allows websites to restrict connections to a specific key – does not prevent this interception. Chrome, Firefox, and Safari only apply pinned keys when a certificate chain ends in an authority supplied with the browser or operating system. Additional validation is ignored when the string ends with a locally installed root (that is, a CA certificate installed by an administrator). [34].

To make the situation clearer:

SSL web browsing is exactly as powerful as the weakest certification authority.

I want to do sure My HTTPS connections are secure in at least three ways:

  • Chrome / Chrome
  • Firefox
  • Ubuntu Official Rest / Snap

Is there a way to make sure I do not have AC that does not come formally from these three main sources? In other words: How can I list installed certificates that are not included with Ubuntu / Firefox / Chrome?

Some research"

  • checkmyhttps looks old and not trustworthy
  • Chrome: I do not know if chrome: // parameters / certificates is a subset of which returns some of these commands:

    awk -v cmd = openssl x509 -noout -subject & # 39; & # 39; / BEGIN / {close (cmd)}; {print | cmd} </ etc / ssl / certs / ca-certificates.crt
    Trusted list
    certutil -L
    
  • I already have sudo update-ca-certificates -v -f but that just seems to update, not delete any sneaky certificate installed.

Reference