Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

The aging foundation of Certificate Authorities shows yet another crack as security experts are caught unaware

Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

Microsoft is under no obligation to notify you or ask your permission before placing a new trusted root certificate on your Windows PC. That said, just last year Microsoft was caught in the embarrassing position of yanking 45 bogus certificates issued under the root certificate authority of the government of India's Controller of Certifying Authorities. Transparency in distributing new trusted root certs is a good thing.

A certificate expert who goes by the Twitter handle @hexatomium said in an article on GitHub over the weekend that Microsoft started pushing the new trusted root certificates earlier this month to "all supported Windows systems." It isn't clear how the root certs were pushed, but he does say Microsoft "did not announce this change in any KB article or advisory."

I can confirm, at least in my experience, that this is true: There doesn't appear to be any notification about the new root certs anywhere that I can find.

The names attached to the certs raise more than a few eyebrows:

GDCA TrustAUTH R5 ROOT         CN

S-Trust Universal Root CA      DE

Notarius Root CA               CA

Certplus Root CA G1            FR

RXC-R2                         US

Swedish Government Root CA v2  SE

CCA India 2015                 IN

MULTICERT Root CA 01           PT

Certplus Root CA G2            FR

OpenTrust Root CA G3           FR

OpenTrust Root CA G2           FR

OpenTrust Root CA G1           FR

GlobalSign Root CA - R6        US

Tunisian Root CA - TunRootCA2  TN

CCA India 2014                 IN

WoSign ECC                     CN

WoSign G2                      CN

The RXC-R2  US certificate has conspiracy theorists reaching for their space blankets, because nobody has heard of RXC-R2.

A Hacker News firestorm has ensued. Poster Mojah hits the nail on the head with his summary:

I think this demonstrates 2 very major problems with SSL Certificates we have today:

1. Nobody checks which root certificates are currently trusted on your machine(s).

2. Our software vendors can push new Root Certificates in automated updates without anyone knowing about it.

Mattias Geniar goes into detail about the ongoing problems with root certificates in his blog:

This just goes to show how fragile our system of trust really is. Adding new Root Certificates to an OS essentials gives the owner of that certificate (indirect) root privileges on the system.

It may not allow direct root access to your machines, but it allows them to publish certificates your PC/server blindly trusts.

This is an open door for phishing attacks with drive-by downloads.

Was this a willful attempt to secretly push new root certs on all Windows PCs, or just another Microsoft documentation glitch?

It'll be interesting to see the response from the 'Softies.

Copyright © 2015 IDG Communications, Inc.