Good evening! My name is Mark. I have seen a couple of posts in various boards now that carry the same theme: I don’t trust vendor root certificates -- I want to play devil’s advocate here and share some experience. Firstly, let’s understand that my trust levels went down this last 12 months--and its open-sourced programs that I scrutinize the most. After dealing with devices that had bullcrap certificates loaded (stolen developer certificates) to give access to surveillance and device hijacking software that made it near impossible to manage one’s own device…. I choose vendor. Vendors are at least operating with clear intentions: To make money. If you think a business exists for you, go back to basics. Business exists to make money. A vendor selling IT security will not last long if it is not delivering the product that it advertises and there are more than enough watchdogs and reviewers to make sure that conversation would be loud and clear. Open-sourced software….we’re still dealing with the growing pains. For every great thing software can do for us (open sourced or no) it can be used in an equally malicious fashion. We still have ethical problems that we are facing in an environment where anybody can access the sources...and alter them...or worse, alter the SDK that comes with. My two cents. Thank you Kaspersky. Here are the keys to my banking SSL...please.
