11

I noticed that some applications installed root certificates on my computer.

  • Is it possible to prevent this?
  • Or is there a firewall or such that notifies me?
StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
Rápli András
  • 2,144
  • 1
  • 11
  • 24
  • 2
    what OS? I'm not sure about firewall rules, but I reckon this could be done with a script easily enough. – Jay Apr 04 '16 at 07:53
  • 3
    Please see [ask] and [The perfect question](http://codeblog.jonskeet.uk/2010/08/29/writing-the-perfect-question/). – Tobi Nary Apr 04 '16 at 07:54
  • 3
    What applications did install root certificates? – techraf Apr 04 '16 at 08:19
  • 1
    Why does it matter? – Rápli András Apr 04 '16 at 08:35
  • 1
    How about restricting access to the trust store to the admin? It should be that way anyways, so @techraf has a good point: If any application does so, it would've to run with admin priviliges. – Tobi Nary Apr 04 '16 at 10:05
  • 1
    It's an interesting question. I read about a special type of malware which manipulates some network settings like proxy and DNS as well as the certificate storage of a system and kills itself after it's done. A third party can now MITM most of the traffic but there's no malware on the system. – Noir Apr 10 '16 at 22:23
  • Related question: [*What if the Local Windows Cert Store is Compromised?*](https://security.stackexchange.com/questions/94131/what-if-the-local-windows-cert-store-is-compromised/94658) – StackzOfZtuff Apr 14 '16 at 09:01
  • Related question: [*How can you check the installed Certificate Authority in windows 7/8?*](https://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8/108237) – StackzOfZtuff Apr 14 '16 at 09:01

2 Answers2

1

Windows Environments.

Background

Windows servers that have internet connectivity reach out to CA servers and automatically update Trusted Root Authority certs, CTL, STL and Revoked certificates. This occurs in the background and requires zero input or interaction from the user.

Why control it?

Many government environments like to shut this setting off as it's all about control. For instance when the Dell's eDellRoot CA certificate was first shown to be a vulnerability - Microsoft didn't revoke it right away. It took a few days before it ended up on any Untrusted or Revoked list. So many in the security field feel as though they can react faster by controlling the lists themselves. Many reduce the threat as soon as they find out through various channels as opposed to waiting for Microsoft teams deeming something unsafe.

How to control it?

To turn off Automatic Root Certificates Update via Local Group Policy Editor:

  • Click Start, and then click Run.

  • Type gpedit.msc, and then click OK.

  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  • Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
  • Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
  • Close the Local Group Policy Editor.

Note that doing it this way is safer than turning off Automatic Updates. Because you still want other security patches to be applied. (Assuming you have an internet connection.)

mumbles
  • 390
  • 1
  • 2
  • 12
0

If you know the directory where root CAs are installed, then you could adjust the permissions for writing to that directory. If you set that directory to only be readable and not writeable, then you would prevent installation of new certificates.

Also, you could set up an alert system that would notify you when anything in that directory changes. This way, you could allow new CAs to be installed, and you would be able to check up on the changes to verify them.

This can all be done in Linux/Unix/BSD/Mac operating systems.