In the summer of 2011, a small Dutch company called DigiNotar issued a wildcard certificate for *.google.com.
Google didn’t ask for it. Google had never been a DigiNotar customer. But that didn’t matter, because every browser on the planet trusted DigiNotar, and a certificate signed by a trusted CA is a valid certificate for whatever name is printed on it. Somebody in Iran used that cert to run a man-in-the-middle attack on Gmail. The forensic report later counted requests from 298,140 unique IP addresses trying to reach Google services through the forged certificate. Ninety-five percent of them were in Iran.
DigiNotar was dead within a month. Mozilla, Microsoft, and Google yanked the root, the company filed for bankruptcy on September 20, and a CA that had been quietly signing Dutch government certificates for years simply stopped existing.
The part that should bother you more than the attack: nothing about the system prevented it. DigiNotar wasn’t supposed to issue Google certificates, but no technical rule stopped it. The only thing standing between any one of the world’s certificate authorities and a perfect forgery of your domain is that they’re supposed to not do that.
The trust model is one giant OR
Open your browser’s certificate settings and look at the root store. You’ll find a list of certificate authorities you have never heard of, run by companies in countries you weren’t thinking about, each one of which your browser trusts completely and unconditionally.
As of late 2025, Mozilla’s root store ships about 144 root CAs with the TLS trust bit enabled. Apple, Microsoft, and Chrome run their own stores with heavily overlapping but not identical lists. Call it 150, give or take, depending on whose machine you’re on.
Now the fact most people get wrong: any one of those CAs can issue a certificate for any domain. Not just the domains they “own.” Any domain. Yours, mine, a bank’s. The trust isn’t partitioned. A CA in one jurisdiction can vouch for a hostname registered on the other side of the world, and your browser accepts it without blinking.
So your security against certificate forgery isn’t the strength of your CA. It’s the weakest of all 150. The whole edifice is a logical OR: the attacker only needs one of them to misissue, get compromised, or get coerced. You don’t get to pick which 149 strangers you’re not trusting.
That’s an absurd way to build a security system. It’s also the one we have.
We had a fix. We didn’t use it.
The frustrating thing is that X.509 has had a mechanism to scope CAs for decades. It’s called name constraints, defined back in RFC 5280. You can issue a CA certificate that says, in effect, “this authority may only sign names under example.gov and nothing else.” Hand a sub-CA a constrained certificate and it’s harmless outside its lane — it physically cannot produce a valid cert for google.com.
So why isn’t every public root constrained?
Two reasons, and they feed each other. First, the public CAs are businesses whose entire product is the ability to sign any domain a paying customer can prove they control — constraining them defeats the point. Second, client support was historically a mess. For years, only Firefox reliably enforced name constraints; other validators treated them as decorative or ignored them outright. And a security control that only some clients check isn’t a control. It’s a suggestion. So nobody could rely on it, so nobody pushed it, so it stayed niche — useful for private and government PKI, absent from the public web.
The result is that the public trust model never got the partitioning it desperately needed. Every root can still sign everything.
So why doesn’t this happen every week?
Because the leverage moved.
The thing that actually keeps the system standing isn’t a clever protocol. It’s that the people who run the root stores got willing to kill CAs, and the CAs know it. A certificate authority does not exist because it’s cryptographically privileged. It exists because four or five browser root programs agree to keep its certificate in their list. The moment they stop agreeing, the CA is worthless — every cert it ever signed turns into a browser warning.
This is a relatively recent kind of power, and the executions tell the story better than the rules do.
In 2017, Chrome and Mozilla decided to distrust Symantec — at the time the largest commercial CA on the web, responsible for a huge slice of all certificates in existence — after years of misissuance incidents. They didn’t pull it overnight; they couldn’t, the blast radius was too big. They phased it out across 2018 until the roots were gone. Symantec sold its CA business off rather than die with it.
In 2022, Mozilla and Microsoft removed TrustCor. What’s interesting here is why: not a specific forged certificate, but reporting that tied the CA to a company distributing spyware. They pulled it over who TrustCor appeared to be, not over a concrete misissuance. Trustworthiness, it turns out, is part of the deal, and the root programs get to decide what that means.
And in 2024, Google announced it would distrust Entrust — one of the oldest names in the business — citing a pattern of compliance failures and “the absence of tangible, measurable progress” on incident reports. Certificates with timestamps after November 11, 2024 simply stopped being trusted in Chrome. Apple and Mozilla followed within weeks. The message was unmistakable: a long history and a big customer base buy you exactly nothing if you stop meeting the bar.
The power is now explicit
For most of the web’s life, Chrome didn’t even have its own root store — it borrowed the operating system’s. That changed. Starting with Chrome 105 in September 2022, Google rolled out the Chrome Root Store and now ships its own list, OS-independent, on Windows, macOS, Linux, Android, and ChromeOS.
Read that again. The most popular software on Earth now decides, on its own, which certificate authorities are allowed to participate in the web’s trust. Combine that with the CA/Browser Forum’s Baseline Requirements and the willingness to execute, and you get the real shape of the modern system.
We didn’t fix the OR gate. We hired referees who can throw any of the 150 players out of the game.
So when someone tells you the web’s security rests on 150 certificate authorities, they’ve got it backwards. The 150 CAs are the ones being trusted on probation. The actual trust — the thing your encrypted connection ultimately depends on — sits with the handful of people who run the root programs and have shown they’ll pull a root when they have to. That’s a smaller, more accountable group than 150 strangers in 50 countries. It’s a genuine improvement.
It’s also nothing anyone set out to design. We backed into it one dead CA at a time.