
Equifax Certificate Unravelling Security on Windows 10 OS - BandOfBots
https://leeneubecker.com/equifax-equimelt-vulnerability/
======
7a1c9427
I fail to see the security issue here, the Equifax certificate in question
(thumbprint: d23209ad23d314232174e40d7f9d62139786633a) has been revoked (on
Windows 10 at least) - it is in the system store to protect users by being
marked as revoked and thereby marking all child certificates and signatures as
invalid.

I strongly suspect all the other listed certificates are also marked as
revoked but I couldn't be bothered wasting my time checking.

~~~
kav2k
Having checked, 2 out of 4 are currently revoked.

Equifax and Thawte Premium Server CA.

------
raesene9
Unless I'm misreading this, the "vulnerability" is 4 certs deployed on
machines with deprecated hashing algorigthms.

The steps the author takes from that to "this could allow your machine to be
compromised" are.... well tenuous at best. The idea that just because a
certificate is present, an attacker will easily be able to use that to sign
malware and bypass anti-malware protections as a result doesn't appear
supported by the evidence presented.

~~~
bdonlan
Moreover the hash algorithm doesn't matter for the root cert, because the
system has a trusted copy of the certificate in its root cert store and
doesn't need to check any signatures on the root itself.

------
agl
This is nonsense. The self-signature on a root certificate is irrelevant
unless you can easily calculate second pre-images, and that's not true even of
MD5, and accepting a root doesn't mean that the validator would accept that
hash function on a non-root.

Equifax is only a 1024-bit RSA key, which isn't ideal, but it expires on Aug
22nd this year and the key-size of the root doesn't impact confidentiality.

