Yesterday news came out that Microsoft has quietly pushed new Root Certificates via its Windows Update system.
The change happened without any notifications, without any KB and without anyone really paying attention to it.
Earlier this month, Microsoft has quietly started pushing a bunch of new root certificates to all supported Windows systems. What is concerning is that they did not announce this change in any KB article or advisory, and the security community doesn’t seem to have noticed this so far.
Even the official Microsoft Certificate Program member list makes no mention of these changes whatsoever.
This just goes to show how fragile our system of trust really is. Adding new Root Certificates to an OS essentials gives the owner of that certificate (indirect) root privileges on the system.
It may not allow direct root access to your machines, but it allows them to publish certificates your PC/server blindly trusts.
This is an open door for phishing attacks with drive-by downloads.
I think this demonstrates 2 very major problems with SSL Certificates we have today:
- Nobody checks which root certificates are currently trusted on your machine(s).
- Our software vendors can push new Root Certificates in automated updates without anyone knowing about it.
Both problems come back to the basis of trust.
Should we blindly trust our OS vendors to be able to ship new Root Certificates without confirmation, publication or dialog?
Or do we truly not care at all, as demonstrated by the fact we don’t audit/validate the Root Certificates we have today?