
New trusted root certificates added to Windows in unannounced update - svenfaw
https://hexatomium.github.io/2016/10/11/unannounced-root-cert-update/
======
kpil
Irrelevant - it's way beyond repair.

There is virtually nil chance that none of the root CAs are compromised or
influenced, or at least influenceable by a criminal organisation or group.

I also doubt that all governmental organisations that have the opportunity to
legally influence the CAs have full control of all their employees and that
they are not vulnerable to criminals.

I also doubt that the governmental organisations of the usual suspected
countries involved in government funded industrial espionage are not able to
influence CAs - in order to target information in other countries.

Actual lawful interception is inevitably possible - but it's a good thing so
it can be ignored. Actual political espionage can also be ignored, as it is
unlikely to happen to normal people and companies and nearly impossible to
avoid without considerate resources.

But the first three scenarios are probable, and can cause serious economical
harm, and can't be fixed without changing the whole current infrastructure.

~~~
eeZi
> Irrelevant - it's way beyond repair.

Doesn't mean we shouldn't try, since we're not getting rid of if anytime soon.

Google's Certificate Transparency is a great approach.

~~~
developer2
I think the point the parent was making is that it is likely that one or more
of the most prevalent certificate authorities' private keys have been
compromised - whether voluntarily provided to government, or obtained by
criminals via dubious methods.

Once the private keys are compromised, all bets are off. No database - whether
maintained by Google or anyone else - puts a dent in such a problem. It's one
thing to track inauthentic certificates; it's quite another to discover
someone silently decrypting traffic with a copy of the private key.

Edit: My response brings up an interesting question I hadn't considered
before. With the certificate chain, is it required to have the private keys
for the entire chain in order to be able to decrypt the stream? If someone has
the certificate authority top-level certificate, can they decrypt a domain's
certificate without having _its_ private key as well as any intermediates? If
not then it'd be true that the primary concern with a top-level private key
being compromised is illegitimate certificates being signed, in which case
Google's attempt to combat that with Certificate Transparency isn't half bad.

~~~
jakewins
Your edit is correct - it is the public certificate that is signed, so a cert
authority never sees the private cert and can hence not decrypt downstream.
The problem is issuing fake certificates.

------
mey
Microsoft has gotten really bad about describing what it is doing and planning
on doing with the Windows 10 generation. They've been called out on it before,
but I haven't seen much from them in a formal way over the last year.
Individual teams in the company may do an excellent job, but overall the bar
is low.

~~~
ersii
Were they really any better prior to Windows 10 though? I remember trying to
read the Windows 7 updates, but they were always seemed very... light on
material.

~~~
mey
There at least existed KB articles with patch details ahead of a patch being
dropped. I've routinely tried to dig up a newly deployed Windows bundle at
home on a machine not running the Insider Program and hit 404s pulling up the
KB number.

~~~
stryk
I've been getting a recommended driver update for the Broadcom Bluetooth
driver used by a little ASUS USB Bluetooth dongle I use (very common BT
chipset), yet I cannot find any information about any driver updates on ASUS'
nor Broadcom's websites. And the "More information" link in the Windows Update
dialog just points to a page that only says "Driver Information: Coming Soon
<br> Thank you for using Windows Update. The More Information feature is not
available yet. We apologize blah blah yadda yadda" (last sentence
paraphrased). Why the hell would I install a driver for which I can find no
information about? That's nuts. This isn't the first time I've ran into this
situation with Windows Update and driver "update" recommendations, either.

~~~
voltagex_
For the Bluetooth driver specifically, you may be able to to pull it down via
the Windows Update Catalog and inspect it that way. It may just be an OEM
version of Bluesoleil or similar.

------
mtgx
And this is happening as soon as Microsoft makes it so that you can't pick and
choose updates anymore. Yeah, it doesn't look suspicious at all.

[https://krebsonsecurity.com/2016/10/microsoft-no-more-
pick-a...](https://krebsonsecurity.com/2016/10/microsoft-no-more-pick-and-
choose-patching/)

~~~
peteretep

        > Yeah, it doesn't look suspicious at all.
    

Could you expand on what you think Microsoft's dastardly plan here is?

~~~
jwtadvice
To continue to trade access to corporations' and private computers' the world
over for political and economic advantage to the intelligence and treasury
communities.

Honestly I don't know whether this particular CA addition is a good example of
the sorts of backdoors that Microsoft is known to insert on behalf of
intelligence and police organizations. I think the parent was perhaps being a
bit flippant?

------
yakult
Would it be possible to replace MS's CA list with e.g. Firefox's entirely?
Would that break things?

~~~
walrus01
you can manually delete and import root CAs in the windows 10 CA trust store:

[https://technet.microsoft.com/en-
us/library/cc754841(v=ws.11...](https://technet.microsoft.com/en-
us/library/cc754841\(v=ws.11\).aspx)

~~~
userbinator
I believe I've read somewhere that that's not all of them, there's more
hardcoded in various system files.

------
grandalf
What's the best way to audit one's own computer for root certs that perhaps
should not be trusted?

~~~
nowayyeah
Switch to debian? You can't audit everything on your OS, you have to trust
somebody. I trust debian.

~~~
geofft
Why do you trust Debian? (I say this as a happy Debian
user/sysadmin/occasional package maintainer).

In particular, it's a volunteer-run organization in which it's not unusual at
all to volunteer to maintain a package as part of your day job that uses a
package, and where a large amount of discretion is given to the individual
package maintainer, until they choose to hand maintenance to someone else.
This is _perfect_ for an organization who wants to push security configuration
weaknesses. Even if you can't get a back door in, you can certainly default to
code that you have privately found vulnerabilities in, or compile with or
without certain options, add third-party patches that are pretty questionable,
or add CAs that are particularly easy to coerce. None of these actions look
weird at all, they just look like someone who is putting work into their
package and caring about doing Debian-specific work to make it work well. In
particular, until relatively recently, the Debian ca-certificates package
included the CAcert root cert, which was in very few other root stores, and
the SPI one, which was in no other stores.

It's also the case that Debian accepts binary packages built on the
developer's personal machine (and this used to be _required_ until very
recently), so it's very easy to straight-up upload a backdoor that isn't in
the source. (This might have changed recently, but I believe this was true at
least as recently as the last stable release.)

~~~
mattnewton
I trust people doing it largely for themselves and the community reputation
_more_ than I trust people who are expected to deliver more returns every year
in a stagnating market.

~~~
nixos
The problem is getting a bad actor into a large community is quite easy if
funds aren't an issue.

You think the NSA (or FSB, or whatever) can't pay for someone to maintain
nginx or apache?

~~~
mattnewton
That's totally fair, but I hope that each of those organizations has a vested
interest of exposing each other; at the very least it's in the NSA's charter
to protect American businesses against attacks, I have no idea if they feel
this is an effective way though. So yes, it's risky. But Microsoft has all
those disadvantages too, even though it's harder to get moles inside it's
easier to have their stuff undetected (and in the case of the NSA it might
even be done with full cooperation). Plus, the market share makes them a
bigger target.

Outside probably hypotheticals, what we know for certain is that microsoft is
attempting to monetize their new windows on the back of user's data.

~~~
nixos
While I mentioned the NSA, really the bigger threat is a guy (or hacker group)
who wants to pull off a million dollar heist. The NSA can get into
(practically) anything and everything.

To get a job at MS, you have to have a real life reputation. Once you get in,
there will be others analyzing your code, and your bug may not make it to
release.

To insert a bug into Debian, become a packager and you're done. Access to one
of the most popular server (the important stuff is here) OSs (Debian, Ubuntu)
on the web.

You're busted? Create another account and start over.

------
ourmandave
Do they mean the Windows 10 update that has bogged my system and failed once a
day for the last two weeks? That update? =(

~~~
neppo
does your main drive have more than 20GB free space?

If not, the update will fail.

~~~
DocTomoe
Wouldn't it be lovely if they checked that _before_ they did the whole
download/install/making the user wait for 15 minutes dance?

------
merb
> Trusting new CAs is always a big deal

well half of the list aren't _new_ CAs more like additional root certs.

~~~
SeriousM
... And the other half is new. What's your point again?

~~~
merb
well I didn't said that it's good or bad, I just said that they are
"familiar"? not sure why they even add more CAs since they already have one,
some of them with way more than 8 years left. they didn't had ECC certificates
tough.

