The Broken State of Trust In Root Certificates

Mattias Geniar, Saturday, June 27, 2015

Yesterday news came out that Microsoft has quietly pushed new Root Certificates via its Windows Update system.

The change happened without any notifications, without any KB and without anyone really paying attention to it.

Earlier this month, Microsoft has quietly started pushing a bunch of new root certificates to all supported Windows systems. What is concerning is that they did not announce this change in any KB article or advisory, and the security community doesn't seem to have noticed this so far.

Even the official Microsoft Certificate Program member list makes no mention of these changes whatsoever.

Microsoft quietly pushes 18 new trusted root certificates

This just goes to show how fragile our system of trust really is. Adding new Root Certificates to an OS essentials gives the owner of that certificate (indirect) root privileges on the system.

It may not allow direct root access to your machines, but it allows them to publish certificates your PC/server blindly trusts.

This is an open door for phishing attacks with drive-by downloads.

I think this demonstrates 2 very major problems with SSL Certificates we have today:

  1. Nobody checks which root certificates are currently trusted on your machine(s).
  2. Our software vendors can push new Root Certificates in automated updates without anyone knowing about it.

Both problems come back to the basis of trust.

Should we blindly trust our OS vendors to be able to ship new Root Certificates without confirmation, publication or dialog?

Or do we truly not care at all, as demonstrated by the fact we don't audit/validate the Root Certificates we have today?

Hi! My name is Mattias Geniar. πŸ‘‹ I'm an independent software developer ⌨️ & Linux sysadmin πŸ‘¨β€πŸ’», a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

πŸ”₯ If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. πŸ€—

Have feedback?

New comments have been disabled on this blog, existing comments will remain as-is. Want to give feedback? Is there a mistake in the post?

Send me a tweet on @mattiasgeniar!


Howard Monday, June 29, 2015 at 22:31 -

Well, that’s wonderful. So if they can push these updates what else can they push out or more to the point what else have they pushed out without our knowledge.

Mr Gadgit Sunday, July 19, 2015 at 18:34 -

I am writing a program to keep an eye of these CA certificates and can mark them as safe once they have been accepted by me but where can i find a list of what CA’s i should have on my PC.

Lot’s of these Root CA’s don’t have intermediate certificates using them so does that make them safe to delete apart from the few odd microsoft certificates because it seems that no one knows.

My windows updates are turned off as is everything else i can turn off but i can see something is still able to push new CA certificates to my machine without windows giving me a warning but i have yet to track down just what it is.

Microsoft needs to stop treating my machine as a remote terminal and locking developers like me out from our own PC’s

M Tuesday, March 21, 2017 at 04:44 -

Your sentence “It may .. Drive-by downloads” is incredibly concerning. If it is true. Why isn’t this HOT news. With all the proven government spying going on on its citizens. Spying is not just happening in countries like Thailand. Which the West deems corrupt.

M Tuesday, March 21, 2017 at 04:52 -

@Mr. Gadgit.

Microsoft pushed a Root Cert on my Windows 8.1 machine yesterday. Which also caused a crash and forced automatic restart. It was from the Dutch Government. A country which is proven to be a big playground for international trial balloons. Of all things citizens deem not Kosher.

Inbound links