Editing Transport Layer Security (section)

===Certificate authorities===
{{Main|Certificate authority}}
TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,<ref>{{cite web|url=https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|title=Alternatives to Certification Authorities for a Secure Web|last=Rea|first=Scott|date=2013|publisher=RSA Conference Asia Pacific|access-date=7 September 2016|url-status=live|archive-url=https://web.archive.org/web/20161007222635/https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|archive-date=7 October 2016}}</ref> and can be modified by the relying party.

According to [[Netcraft]], who monitors active TLS certificates, the market-leading certificate authority (CA) has been [[NortonLifeLock|Symantec]] since the beginning of their survey (or [[Verisign|VeriSign]] before the authentication services business unit was purchased by Symantec). As of 2015, Symantec accounted for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.<ref>{{Cite web|url=https://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|archive-url=https://web.archive.org/web/20150516035536/http://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|url-status=dead|title=Counting SSL certificates|archive-date=16 May 2015|access-date=20 February 2022}}</ref> In 2017, Symantec sold its TLS/SSL business to DigiCert.<ref>{{cite news|last1=Raymond|first1=Art|title=Lehi's DigiCert swallows web security competitor in $1 billion deal|url=https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|access-date=21 May 2020|work=Deseret News|date=3 August 2017|archive-date=29 September 2018|archive-url=https://web.archive.org/web/20180929171244/https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|url-status=dead}}</ref> In an updated report, it was shown that [[IdenTrust]], [[DigiCert]], and [[Sectigo]] are the top 3 certificate authorities in terms of market share since May 2019.<ref>{{cite web|title=Market share trends for SSL certificate authorities|url=https://w3techs.com/technologies/history_overview/ssl_certificate|website=W3Techs|access-date=21 May 2020}}</ref>

As a consequence of choosing [[X.509]] certificates, certificate authorities and a [[public key infrastructure]] are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via a [[web of trust]], the [[Global surveillance disclosures (2013–present)|2013 mass surveillance disclosures]] made it more widely known that certificate authorities are a weak point from a security standpoint, allowing [[man-in-the-middle attack]]s (MITM) if the certificate authority cooperates (or is compromised).<ref>{{cite magazine|url=https://www.wired.com/threatlevel/2010/03/packet-forensics|title=Law Enforcement Appliance Subverts SSL|archive-url=https://web.archive.org/web/20140412151324/http://www.wired.com/threatlevel/2010/03/packet-forensics|date=March 24, 2010|archive-date=April 12, 2014|magazine=[[wired (magazine)|wired]].com|author=[[Ryan Singel]]|url-status=live}}</ref><ref>{{cite web|title=New Research Suggests That Governments May Fake SSL Certificates|url=https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|archive-url=https://web.archive.org/web/20100325223422/http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|date=March 24, 2010|archive-date=March 25, 2010|author=[[Seth Schoen]]|website=[[Electronic Frontier Foundation|EFF]].org|url-status=live}}</ref>