Comment Re:Are non-China users safe? (Score 2) 100
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions...