Hacker News new | past | comments | ask | show | jobs | submit login
As HN: RustDesk Installs Chinese Root Certificates
68 points by lobito14 10 months ago | hide | past | favorite | 17 comments
I'm not an expert in security, but I noticed that the Windows version of RustDesk (https://rustdesk.com/), an open-source remote desktop software, installs a Chinese root certificate to the Windows `Trusted Root Certification Authorities` with all purposes enabled. There's a discussion on GitHub (https://github.com/rustdesk/rustdesk/discussions/6444) where one of the maintainers states the certificates are for driver code signing, but doesn't explain why they need to be placed in `Trusted Root Certification Authorities` with all purposes permissions instead of just for code signing. Does anyone more experienced in security have a take on this?



Not a security expert, but this is a huge code smell.

Always be cautious of trusting certs of any kind, especially test/dev certs with top level privileges lol personally i would avoid.

Based on the issue there are too many weak points and the "response" given didnt seem to care about the vulnerabilities or user concerns, only said why its needed...

The issue poster was smart in running in a sandbox and comparing files.


Never heard of this repo or library, but in the readme:

"Yet another remote desktop software, written in Rust. Works out of the box, no configuration required. You have full control of your data, with no concerns about security"....

Yikes. Please don't believe in every repo face value. Your best bet is to generate your own certs (https://github.com/FiloSottile/mkcert) and sign the dlls yourself.


Placing a certificate in the Trusted Root Certification Authorities node – despite completely "owning" a machine – is ironically not enough for a certificate to be used for driver code signing as even those need to be cross-signed by Microsoft to be accepted for kernel-mode drivers. I'm not sure this explanation holds any water.

(When it does suffice, the approach has always been generate a CA certificate on the device itself and install that, generate a cert signed by that CA to sign the code/driver with, then nuke the CA's private keys so they can't be used to sign anything else again. There would be zero need to ever use a real CA here.)


Shame on Windows for just letting an application install a new root without express, and on-going user context.

This is something that the OS should be at some regularity reminding the user that has happened. It is not reasonable for a user to assume that installing an application is just going to let that application completely switch the trusts on the computer.


Does Windows really not show any warnings at all in such a case? I would assume it does, but I’m not sure.


Windows doesn't show any special warnings for the certificate installation, just the usual UAC prompt.


If a root/admin user installs a root there is no prompt, if a user does, it is scoped to the individual user profile and a prompt is displayed. No prompt as root would be meaningful because the root/admin user could just update the configuration without using the API. Long story short, don't give root/admin to applications you don't trust.


Right but basically all application installers basically require “root” on windows.

This is an unfortunate side effect of how installation works on Windows I think.

I really think we need to move closer to requesting permissions to specific things rather than a binary “admin or not”.


I've decided to remove the hosted version of the software I was operating, as well as the client applications from all my devices, until the situation is clarified. An insecure certificate, such as the one RustDesk is utilizing, should not have the extensive permissions it currently holds.


Maybe this app's real purpose is to be malware. Start off as a useful app to gain a large user base (trojan horses). Charge for it too, that makes it seem even more legit, but have a free tier to grow the user base. Then silently turn it into malware.


User asked these questions (https://github.com/rustdesk/rustdesk/discussions/6444#discus...):

    "why this certificat is in root store.
    why this certificat have a validity of 10 years and only use SHA-1.
    why this certificat is different from the DLL one."
RustDesk's answer:

"Frankly, as for 1,2, we do not know either, we are not expert in this field, maybe because it is test cert. As for 3, dll is OV cert, but the driversigning requires EV cert, we do not have EV cert, so we use test cert as a workaround. Someone in HN does not believe we do not have EV, but we really have not. :( But now I think it is time for us to get one."

https://i.ibb.co/bHjMYWH/2024-02-08-00h41-11.png


This is not acceptable. I would avoid this application, at all costs.

You should never install a root certificate from someone, unless you want them to be able to silently MITM any TLS connection from your machine.


Some Discord users claim that the certificate required to sign the video driver is a Windows WDK certificate and not a Chinese one. However, the administrative details on the certificate are in Chinese, and there are concerns about the certificate's location and its permissions. Additionally, there are opinions that a code signing certificate is costly, but I disagree. Given their size, they can afford to spend $290 on an EV certificate (https://signmycode.com/ev-code-signing).


It it really was a certificate from Microsoft, why would it not be bundled with Windows?


I don't know, but the certificate I found under Trusted Root Certification Authorities was set to "Enable all purposes for this certificate," which definitely shouldn't be the case.


Oh lighten up, it's memory safe! /sic


[flagged]


Sounds like ChatGPT




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: