antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| MS restores root certificates that users distrust and remove
»www.networkworld.com/community/node/17703
"... Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked, according to security expert/blogger Paul Hoffman.
And in Windows Vista you just can't kill them, period..."
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check often)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T U-Verse
| Leave it to MS to continue to defy user's wishes and operate on the notion they own your computer, not you. 
--
Team Discovery
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
2 edits | reply to antdude
I don't use Vista so I can't speak to how it works in Vista but in XP Pro this is not a problem and I suspect it isn't in Vista either.
Why kill it? That is not the proper way to handle a cert you no longer want to use for certain purposes or use at all. Of course you can't actually get rid of the cert! You can't do that in Fx either. Fx will silently put it right back. Frank Hecker (MoFo Foundation director) explained it all in a classic NG post to me some time ago.
You also don't need to kill update root certs. The correct thing to do is to DISABLE the use of the cert not try to remove it. That is easy to do in both IE and Fx but is confusing as heck in Fx and there is a bug (345934) filed on it by Frank Hecker and will be fixed in 3.0 I believe is the version (I haven't checked the bug file in awhile). If update root certs runs that is fine. You have the cert already so no need to worry about update root certs adding it again. Even if it did, you still have it disabled.
I think this guy just wanted some attention. MS should have told him to get lost (at least as far as XP goes and I bet Vista too...somebody with Vista can you disable the cert)?
Am I missing something? I'm no expert like this guy who wrote this up but it looks to me that he missed the boat. You don't try to delete root certs from any browser (and in IE's case from Windows). You instead disable certain functions of a cert or disable it entirely.
edit: correct wrong spelling of Frank Hecker's name
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
1 edit | Of course it's a problem. You may be satisfied to disable certs, but it's not for you to say that it should suffice for everyone else. If an operating system interferes with the hardware owner's control of the software, that's a defect.
It's also a security issue because the dialog deceptively appears to remove a cert, and the user may then rely on a reasonable belief that it was removed.
And it does appear that Microsoft must have some anti-user purpose. If they didn't mean it to be deceptive, they would have the dialog tell the user that root certs can't be removed. Or at least they would have omitted the fake removal interface.
I really try not to jump to the kind of conclusions that people call paranoid, but Microsoft keeps straining credulity with their explanations of things like this. The MS spokesman's refusal to comment also makes a poor impression of candor or good will to Windows users.
If Hector's NG post that refutes my assessment, or Hoffman's paper, please give us a link or copy the text here, or at least explain the argument.
----------------------
OK, it's Hecker not Hector and the Bugzilla thread gives some insight. »https://bugzilla.mozilla.org/show_bug.cg···d=345934
The argument for disabling rather than deleting is that it's better to have it still there and marked as untrusted, because it records your verdict on that cert, rather than leaving you to make a new decision without trace of your previous decision about that cert, the next time it's offered or called for.
The bug page also explains about UI problems in Moz browsers. The only explanation of inability to delete is in Nelson Bolyard's post #10: "it makes no sense to offer to delete things from a read-only token". |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| said by swhx7  :Of course it's a problem. You may be satisfied to disable certs, but it's not for you to say that it should suffice for everyone else. If an operating system interferes with the hardware owner's control of the software, that's a defect. I think your expectations are too high. No one except the developer has complete control over the software they use. We all use software within the limits of how the software is designed to function.
It's also a security issue because the dialog deceptively appears to remove a cert, and the user may then rely on a reasonable belief that it was removed.
This is certainly a good argument and one that ought not be dismissed.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to swhx7
said by swhx7 :. . OK, it's Hecker not Hector and the Bugzilla thread gives some insight. » https:// bugzilla.mozilla.org/show_bug.cg···d=345934The argument for disabling rather than deleting is that it's better to have it still there and marked as untrusted, because it records your verdict on that cert, rather than leaving you to make a new decision without trace of your previous decision about that cert, the next time it's offered or called for. . . . And suppose the user deleted it specifically so that a new decision COULD be made the next time it's offered or called for?
That's just too bad, or what? (Hypothetical/rhetorical question.) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
 ·AT&T Midwest
| And suppose the user deleted it specifically so that a new decision COULD be made the next time it's offered or called for? That would have been rather foolish of the user, given that Microsoft as never offered certificates for users to select. It has always installed them as part of the distributed system, and installed them with trust values selected by Microsoft.
Sure, a user can disable a certificate. But a user has never been informed that a new certificate was in the system store.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by nwrickert :And suppose the user deleted it specifically so that a new decision COULD be made the next time it's offered or called for? That would have been rather foolish of the user, given that Microsoft as never offered certificates for users to select. It has always installed them as part of the distributed system, and installed them with trust values selected by Microsoft. Sure, a user can disable a certificate. But a user has never been informed that a new certificate was in the system store. Umm, maybe I'm misunderstanding you, or misunderstanding the situation-- but if you had deleted a certificate, and had disabled the 'don't prompt for certificate' in Internet Options, wouldn't you be prompted about that certificate the next time it came around? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| The "don't prompt for certificate" is entirely different, and not related to the CA certificates.
This option is for when you have one or more personal certificates, and the web site requests that you provide a certificate (usually for authentication to that site). The "don't prompt" tells your browser to select what it deems to be the most appropriate certificate and use that. Disabling that option means that you would be prompted to select a certificate in such a case.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by nwrickert :. . a user has never been informed that a new certificate was in the system store. The "don't prompt for certificate" is entirely different, and not related to the CA certificates. . . . So if a new CA certificate needs to be put onboard, how does that happen? You say you wouldn't be prompted through the browser, but many networking & security experts know exactly what's coming into their machines at all times-- certificate or otherwise, I would suspect.
So if you're not prompted, and you need/want the certificate on your machine, how does it get there?
Or are you saying there's no situation where a new CA certificate would be needed? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| So if a new CA certificate needs to be put onboard, how does that happen? Three possible ways (at least):
1: The new certificate arrives from Microsoft as part of a Windows update (root certificate update);
2: You are provided with url to install the certificate. When you click on that link, you will go through a series of prompts as to whether to add the new certificate.
3: You are provided with a file, and while examining certificates you use the "import" function to add the certificate from that file. Again, you will go through a series of prompts.
Note that only the first choice adds this to the windows root certifate store. The other two methods add this to the user root certificate store, and if you have multiple accounts on your windows system, that certificate will have to be added separately for each account that needs it.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
OZO
Premium
join:2003-01-17
| said by nwrickert :Note that only the first choice adds this to the windows root certifate store. The other two methods add this to the user root certificate store, and if you have multiple accounts on your windows system, that certificate will have to be added separately for each account that needs it. What do you mean by "windows root certificate store" in comparison to "user root certificate store"?
Certificates dialog box shows followed categories of certificates:
•Personal
•Other People
•Intermediate Certification Authorities
•Trusted Root Certification Authorities
•Trusted Publishers
•Untrusted Publishers
I can add my CA certs to "Trusted Root Certification Authorities" and all users will use them.
--
Keep it simple, it'll become complex by itself... |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| What do you mean by "windows root certificate store" The collection of certificates installed with the operating system, updated by Windows update, and visible to all users.
in comparison to "user root certificate store"? The certificates installed by a user as part of the certificates dialog, and visible only to the account that installed them.
I can add my CA certs to "Trusted Root Certification Authorities" and all users will use them. I would like to know how. I install my own CA certificate, and it is only visible to the account that installed it. Even if I am an administrator when I install it, another account cannot see it unless it separately installs the same certificate.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
OZO
Premium
join:2003-01-17 | In order to be CA a certificate should be self-signed. Is it the case?
--
Keep it simple, it'll become complex by itself... |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to swhx7
Yes, the moment I looked at this thread today before I saw your post I thought "ugh..I can't even get Frank Hecker's name right".  I should have doublechecked last night...I did go and find the bug # at least. I have to get my mind off Kaspersky and chkdsk...that isssue has been consuming way too much of my time and energy here and at other forums on the net.
I certainly am not a big Microsoft defender...I get flamed regularly here for my "anti-Microsoft" attitude.  I certainly think both Microsoft and Mozilla should write better help regarding certs as this is an area where users, including myself, are confused and not just about this specific issue. An active Microsoft blog regarding certs would be helpful especially if it allowed interaction from users.
Here's Hecker's reply to me about this same sort of behavior in Fx.
»www.mail-archive.com/dev-securit···090.html
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
caedmon
@cox.net
| reply to OZO
quote:
In order to be CA a certificate should be self-signed. Is it the case?
No a CA cert does not have to be self-signed. It should (maybe must) contain some fields with values specific to a CA but only a root CA cert is self-signed. Sub-CA certs are not self-signed. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| sub certs...IE calls those "intermediate"...at least I think those are what you are referring to. Fx doesn't have any "intermediate" ones and when a user has Fx or any additional browser besides IE and its shells, it becomes very confusing to understand cert behavior in various browsers as well as cert behavior in Windows. (For instance, adding a root cert in IE/Windows usually means simply doing a root cert update from WU or going to the site issuing the new cert and getting the root cert update there like with Comodo recently...but revocation information...how does one have that be up to date? IE complains constantly about the revocation list not being up-to-date. I don't know how to fix that. Fx doesn't seem to mind though. All very confusing and this is just ONE example of how confusing the entire area of certs can be. Adding the new Comodo root cert to Fx meant taking it from IE after I got the update at Comodo and adding it that way).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
OZO
Premium
join:2003-01-17
| reply to caedmon
You're correct, but my post was a reply to question how to put own CA cert to "Trusted Root Certification Authorities" group.
--
Keep it simple, it'll become complex by itself... |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to antdude
Here's a post in the above thread that explains about: root and sub certs; where they are stored in the software; how certificate issuers themselves get certified; problems of users controlling root certs; and more:
»www.mail-archive.com/dev-securit···095.html
The ultimate argument for how it's handled amounts to a sort of "users are dummies and must be protected from themselves, and from phishers who would take advantage if users had control over root certs".
Obviously this will remain unacceptable to the rare users who know what to do, but it is valid for 99%. The misleading interface is a more prominent problem. |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA | reply to antdude
To me, the fact that the deleted stuff will be "revived" without telling the user is more serious than the fact that it will be revived. If something is going to be done to my computer (and it is mine, not Microsoft's), at least tell me about it! |
|
