
Windows Certificate Manager does not display the complete trust list - svenfaw
http://hexatomium.github.io/2015/08/29/why-is-windows/
======
geographomics
You can also use certutil to grab all the trusted root certificates from the
Windows Update server:

    
    
        certutil -generateSSTFromWU roots.sst
    

Then open roots.sst (which defaults to viewing in certmgr) and it will show
the whole lot. Or use certutil -syncWithWU to get all the certs individually.

Alternatively: download
[http://ctldl.windowsupdate.com/msdownload/update/v3/static/t...](http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab)
[1], extract the authroot.stl file (which is in PKCS#7 format), use 'certutil
-dump' to list all the subject key identifiers therein, and then download them
from the same location as authrootstl.cab by appending ".crt" to the
identifier.

Windows is not lying about anything, you just need to look in the right place.

Also, if you want to examine the CTL list that Windows is currently using -
which should be identical to the one above unless it's brand new or there has
been a problem downloading it - this will extract it from the registry:

    
    
        powershell -Command "[IO.File]::WriteAllBytes('authroot-local.stl',(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate').EncodedCtl)"
    

Then use 'certinfo -dump' or whatever you like, it's exactly the same format
as the downloaded authroot.stl. This is the same registry data that the OP's
CTLInfo tool examines.

[1] as specified in [https://support.microsoft.com/en-
us/kb/2677070](https://support.microsoft.com/en-us/kb/2677070)

~~~
mattkrea
The bigger takeaway from this is with a system like this (fully managed by
Windows Updates).. how can you remove certificates _you_ don't trust?

Latest documentation for this seems to be for IE 5. I sure as hell like to run
dkpkg-reconfigure ca-certificates every once in a while after some roots get
compromised and don't trust Microsoft to be on the ball.

~~~
geographomics
It can be added to the disallowed certificate store, which takes precedence
over any trusted stores.

For example, using the root discussed in the article:

1\. Download the root cert from
[http://ctldl.windowsupdate.com/msdownload/update/v3/static/t...](http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766.crt)
(or save it from the browser's certificate viewer)

2\. Open certmgr and import it into 'Untrusted Certificates'.

(This just adds it for the current user's store. Could also import into the
computer store by running mmc, adding the Certificates snap-in, and specifying
'Computer account' as the target.)

3\. Restart browser. Go to
[https://certplusrootcag1-test.opentrust.com/](https://certplusrootcag1-test.opentrust.com/)
\- it should say the certificate is revoked.

This only works for browsers like IE and Chrome, that use the Windows
certificate store. Firefox has its own so would have to be done separately.

~~~
mattkrea
Thanks! While I still find this kind of backwards at least something like this
exists.

~~~
skrebbel
Hmm, I think it's a very elegant design, probably built to _precisely_ address
the problem you asked about. Update server manages whitelist, user/admin
manages blacklist, which wins. Nice!

~~~
mattkrea
I prefer the situation on Linux where I don't have the certificate at all
rather than getting the certificate and having to mark it untrusted.

Edit: I'm referring to configuring the package as ca-certificates is installed
or via dpkg-reconfigure

~~~
brazzledazzle
Correct me if I'm wrong, but don't several distros come with pre-packaged root
CAs?

~~~
uxp
I think the idea the parent is trying to express is that if the Linux distro
(and OS X in this situation) comes with the root certificate trusted by
default via ca_root_nss/ca-bundle or whatever the packager decides to name it
they can disable it before even connecting to the internet, and if the
certificate is not trusted by default then they don't need to worry about it
magically getting trusted in the future outside of the simple fact of updating
the root certificate store blindly without inspecting it.

Microsoft's approach means that the user would have to go find the certificate
on the internet and blacklist it explicitly, which allows a small window where
the computer is vulnerable to some kind of attack involving a certificate
signed by the unwanted authority.

------
brudgers
One feature of Windows is defaulting to not showing messy complexity to the
user. The other feature is defaulting to backward compatibility. Combined,
this means that Windows often has more than two data stores for some aggregate
feature [e.g. web browser security, software configuration etc.] as new
versions of Windows implement these features in more robust ways.

So yeah there are two or more places where certificates are stored. Typical
users only care about the abstraction of web security so that's what Windows
surfaces. Application developers should choose the new store for new
applications. Existing applications can use the old method. System
administrators and security consultants should make themselves familiar with
all the documentation and double their rates.

Bloggers, however, are still free to write linkbait headlines using the
Windows bashing meme.

~~~
UnoriginalGuy
The problem with your argument is that this is an administrative GUI that
isn't even normally presented to end users unless you search for it or know
how MMC snap-ins work. It is a power-user interface by all measure.

And while Microsoft does simplify UIs for end users, they don't typically do
the same for administrative content (just look at anything in the Admin Tools,
or MMC snap-ins, no sugar coating there).

Your argument about backwards compatibility is at best confusing. What does
the data stores utilised have to do with UI representations of the same? I can
name numerous examples where things changed behind the scenes and the UI was
just updated to support it (e.g. Disk Manager now supports ESP, and exFat,
same UI, ConHost now supports Powershell, same UI, Defrag now supports Trim
for SSDs, same UI, etc).

> So yeah there are two or more places where certificates are stored. Typical
> users only care about the abstraction of web security so that's what Windows
> surfaces.

No, it doesn't. As the blogpost clearly shows it doesn't "surface" all root
CAs usable by websites.

> Application developers should choose the new store for new applications.
> Existing applications can use the old method.

Huh? What do application developers have to do with this? I don't see the
connection. This isn't talking about the custom root CAs you may install, it
is talking about Microsoft's list of preinstalled ones.

> System administrators and security consultants should make themselves
> familiar with all the documentation and double their rates.

Please link to the documentation about this on Microsoft's site.

> Bloggers, however, are still free to write linkbait headlines using the
> Windows bashing meme.

Aside from the word "lying" (which is emotive), the title is largely accurate.
Windows does mislead about installed trusted root CAs. And nothing you've said
in this apologist answer has come close to addressing that, you're just
dancing around it.

~~~
tptacek
Please don't call commenters "apologists" on HN.

~~~
reality_czech
While I agree that UnoriginalGuy's post could have been phrased in a more
neutral manner, the post he was replying to referred to the article as
"linkbait" based on a "Windows bashing meme." Is that a neutral phrasing?
Given that the article was revealing new information to most of the people
here, I strongly disagree that the article is "linkbait."

I think you are personalizing the debate in exactly the way you are supposedly
trying to avoid. Let's debate the facts, not hurt feelings. Nobody has been
rude here (at least in the few posts I read). There is nothing wrong with
calling someone an apologist, as long as it is done in a respectful way and
not just to get a rise out of someone. We don't need to shrink the space for
debate here any more than it already has been.

~~~
tptacek
Totally fair point. I'm not invested in the debate so much as the word
"apologist" sets me off.

~~~
benbenolson
How could that word possibly set you off? It's a common word in the English
language, and couldn't possibly be offensive by any stretch of the word.

> a person who offers an argument in defense of something controversial.

Is it just me, or are the majority of online communities that I visit becoming
overrun with people that get offended by the slightest amount of bold or
confrontational behavior?

------
TazeTSchnitzel
Windows isn't lying. Microsoft openly lists what certificates Windows includes
on their site. The fact the root certificate store on your machine only lists
certificates it actually contains is to be expected.

This is just a UI failure.

~~~
pandog
But there's a difference between looking at the list of root certificates that
Microsoft say Windows trusts and looking at the list of root certificates that
Windows trusts.

~~~
dtech
Only if the two lists differ, _that_ would actually be noteworthy. Currently
it's just a blatantly clickbait title.

~~~
pandog
If it changes and you haven't taken the software update yet the lists will
differ.

------
iancarroll
If you're interested in seeing new roots, Microsoft has started posting all
updates to the cabfpub mailing list:

[https://cabforum.org/pipermail/public/2015-August/005847.htm...](https://cabforum.org/pipermail/public/2015-August/005847.html)

------
Animats
What seems to be happening with Windows is that Microsoft is making the
machine more a slave of their services with each new release. It's as if
they're trying to catch up with Chromebooks, which are totally slaved to
Google. Especially since Windows 10 is free with ads. Treating the local
certificate store as a cache to the main certificate store at Microsoft HQ is
consistent with this.

How difficult it is to hijack the link between the local and remote
certificate stores? That's a potential attack surface. It's not hard-coded;
it's a registry key
(Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate). The default URL
is "ctldl.windowsupdate.com".

So what protects that domain from being hijacked via DNS poisoning? It ought
to have a valid SSL cert, right? Well, no. Go to
"[https://ctldl.windowsupdate.com/"](https://ctldl.windowsupdate.com/"):

    
    
        ctldl.windowsupdate.com uses an invalid security certificate.
    
        The certificate is only valid for the following names:
        a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net,
        *.akamaized.net, *.akamaized-staging.net  
        (Error code: ssl_error_bad_cert_domain)
    

Uh oh. Am I missing something, or are root certs downloaded over an unsecured
channel?

~~~
geographomics
They are transmitted over an unencrypted channel, but the CTL files themselves
(authroot.stl and disallowedcert.stl) are signed by Microsoft so it's fine.
Any modification in transit can be detected and presumably will cause them not
to be updated.

~~~
Animats
So an attacker could return an old "disallowedcert.stl" to re-activate a
revoked cert?

~~~
geographomics
It would be interesting to try. There's a sequence number in the CTL which
could prevent this type of attack, but I don't know if it's actually checked
against that which is currently stored.

------
nota_bene
Isn't the first question to ask "Can I trust Windows?" (and the answer "no",
for all the obvious reasons)?

------
wfunction
Is this really true? When I navigate to
[https://certplusrootcag1-test.opentrust.com/](https://certplusrootcag1-test.opentrust.com/)
I see the root certificate is "Certplus Root CA G1", not "OpenTrust Root CA
G1"...

~~~
setyfse4
It is "CertplusRoot CA G1" in my system too. This CA was added recently
([http://www.infoworld.com/article/2941594/security/microsoft-...](http://www.infoworld.com/article/2941594/security/microsoft-
quietly-pushes-17-new-trusted-root-certificates-to-all-windows-systems.html)).

------
Animats
The Edge browser doesn't display certificate data at all. This has been
discussed on the CAB forum mailing list recently.

------
FreeHugs

        CTLInfo is the result of a few sleepless nights spent
        understanding and reverse engineering some of the CTL
        obscure format
    

I wonder what the reason is to use a userunfriendly system like Windows and
then spend hours and hours fighting it?

No matter how much time you put in, you will never win against an OS that is
working against your interests.

~~~
philtar
1) Because MSFT provides great corporate support for desktops. Keyword: great.
Not good. Great.

2) Because people are used to it.

3) Because Office products are the de facto standard, and they run best on
windows.

I could go on, but you get the point.

~~~
philliphaydon
Everyone talks about how great the alternatives for office are. Buy they are
good. Not great. Even office word online is better than Google docs.

~~~
zxcvcxz
What is "better" about MS word than google docs? The only reason I see to use
word is if you're using files from 1999 that don't work anywhere else.

Google docs is a much simpler system, especially for places like schools
because of the "cloud" nature of it. Google docs has all the features the
average person needs.

MSWord is for specialty cases, google docs and the open alternatives are for
everyone else.

I'm about to earn a masters degree and I've never needed to use MS word.
Double spacing, page numbers, and aligning text work in just about every
processor. I've rarely received a word document from a professor that used
advanced features of word, they're always poorly formatted.

~~~
icebraining
In my experience, Docs can't even reliably align the cursor with the position
between characters (problem described here[1], except my zoom is at 100%
already).

Thankfully all my documents have very light formatting, so I can just write in
Vim and then upload them.

[1] [http://www.podiohelp.com/google-docs-cursor-
misaligned/](http://www.podiohelp.com/google-docs-cursor-misaligned/)

~~~
scholia
I get this as well, and I have another problem. I usually work in Word but one
company wants things in Google Docs. OK, I create the document in Word in
Times Roman and paste it into Google Docs.... which converts it into Arial.

If I copy something else from the same Word document into the same Google Doc,
then Google keeps it in Times. How does that work?

Is there a "smart paste" feature I've missed?

~~~
ryanlol
[https://msdn.microsoft.com/en-
us/library/windows/desktop/ms6...](https://msdn.microsoft.com/en-
us/library/windows/desktop/ms649013\(v=vs.85\).aspx)

~~~
scholia
Sorry if I'm being thick, but I'm using the same clipboard to paste between
the same two documents, so I still don't see why GDocs should interpret them
differently....

I can try clearing the clipboard between pastes: would that make a difference?

------
benevol
Since when did anyone trust Windows/Microsoft/closed source software, anyway?

Did I miss anything?

