Microsoft Windows Root Certificate Security Issues

Removing a default root certificate from Windows XP may be pointless because that certificate seems to be automatically added as a trusted certificate again, according to security expert Paul Hoffman.

In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings. This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certification authority as untrusted unless the user turns off the Windows component that controls this feature.

Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: the user cannot mark them as untrusted. The differences between the two versions of Windows are covered in the last section.

Paul McNamara comments on the situation:

Asked to comment on the paper's conclusions, a Microsoft public relations spokesperson told me, "We don't have any information to share at this time."

In the paper, Hoffman lists a half-dozen example scenarios under which an organization would feel compelled to remove a root certificate, ranging from criminal actions on the part of the CA to a certificate having expired.

The paper also suggests a number of fixes.

"I wrote the security paper because nearly everyone I mentioned the problem to, even my friends at Microsoft, were surprised about how Windows dealt with the root certificates," Hoffman says.

As for whether the situation represents a Windows feature or a bug?

"Unfortunately, I think they did this on purpose, not thinking about the consequences," he says. "It is not a bug, as far as I can tell. There is nothing in the Microsoft documentation that says 'do X' and X is not possible."

Microsoft Windows Root Certificate Security Issues - [Proper Publishing]

Originally posted on Fri Jul 20, 2007

Comments

Robert(2014-12-13)

Hi Joey, You should contact Microsoft directly if you are having problems, or at least post the errors or problems you are having so others can try to help.

Joey Lantigua(2014-12-13)

Dear MS: I currently have two website issues that I cannot see on my IE7 explorer. In addition, I am on Windows XP SP3. The certificate issues are with Chase.com and wellsfargo.com. Need assistance on what to look for in order to restore both these sites. I would appreciate your assistance. Thank you.