Hacker News new | past | comments | ask | show | jobs | submit login

You can also use certutil to grab all the trusted root certificates from the Windows Update server:

    certutil -generateSSTFromWU roots.sst
Then open roots.sst (which defaults to viewing in certmgr) and it will show the whole lot. Or use certutil -syncWithWU to get all the certs individually.

Alternatively: download http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... [1], extract the authroot.stl file (which is in PKCS#7 format), use 'certutil -dump' to list all the subject key identifiers therein, and then download them from the same location as authrootstl.cab by appending ".crt" to the identifier.

Windows is not lying about anything, you just need to look in the right place.

Also, if you want to examine the CTL list that Windows is currently using - which should be identical to the one above unless it's brand new or there has been a problem downloading it - this will extract it from the registry:

    powershell -Command "[IO.File]::WriteAllBytes('authroot-local.stl',(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate').EncodedCtl)"
Then use 'certinfo -dump' or whatever you like, it's exactly the same format as the downloaded authroot.stl. This is the same registry data that the OP's CTLInfo tool examines.

[1] as specified in https://support.microsoft.com/en-us/kb/2677070

The bigger takeaway from this is with a system like this (fully managed by Windows Updates).. how can you remove certificates you don't trust?

Latest documentation for this seems to be for IE 5. I sure as hell like to run dkpkg-reconfigure ca-certificates every once in a while after some roots get compromised and don't trust Microsoft to be on the ball.

It can be added to the disallowed certificate store, which takes precedence over any trusted stores.

For example, using the root discussed in the article:

1. Download the root cert from http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... (or save it from the browser's certificate viewer)

2. Open certmgr and import it into 'Untrusted Certificates'.

(This just adds it for the current user's store. Could also import into the computer store by running mmc, adding the Certificates snap-in, and specifying 'Computer account' as the target.)

3. Restart browser. Go to https://certplusrootcag1-test.opentrust.com/ - it should say the certificate is revoked.

This only works for browsers like IE and Chrome, that use the Windows certificate store. Firefox has its own so would have to be done separately.

Thanks! While I still find this kind of backwards at least something like this exists.

Hmm, I think it's a very elegant design, probably built to precisely address the problem you asked about. Update server manages whitelist, user/admin manages blacklist, which wins. Nice!

I prefer the situation on Linux where I don't have the certificate at all rather than getting the certificate and having to mark it untrusted.

Edit: I'm referring to configuring the package as ca-certificates is installed or via dpkg-reconfigure

Correct me if I'm wrong, but don't several distros come with pre-packaged root CAs?

I think the idea the parent is trying to express is that if the Linux distro (and OS X in this situation) comes with the root certificate trusted by default via ca_root_nss/ca-bundle or whatever the packager decides to name it they can disable it before even connecting to the internet, and if the certificate is not trusted by default then they don't need to worry about it magically getting trusted in the future outside of the simple fact of updating the root certificate store blindly without inspecting it.

Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.

so does this mean in a year I can make use of my free upgrade and then install a nice prepackaged something that will kill it's capacity to spy on me?

That seems reasonable : CNNIC compromised themselves and were removed from Mozilla and Android root cert stores, Microsoft's root cert store still trusts CNNIC.

e-Guven as well


edit: e-Guven is being removed "due to insufficient and outdated audits" and not a compromise (Couldn't reply below).

e-Guven was never compromised, it just still uses outdated practices like issuing directly from the root and expires in 2017 anyway. I once even caught an 1024-bit DSA cert being issued from this root by mistake.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact