Security researchers have checked the web’s public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.
Certificate Authorities, or CAs, vouch for the digital certificates we use to establish trust online. You can be reasonably confident that your bank website is actually your bank website when it presents your browser with an end-user or leaf certificate that’s linked through a chain of trust to an intermediate certificate and ultimately the X.509 root certificate of a trusted CA.
Each browser relies on a trust store consisting of a hundred or so root certificates that belong to a smaller set of organizations. Mozilla’s CA Certificate List for example currently has 151 certs representing 53 organizations.
Source: The Register