Microsoft 'silently' restores root certs users ax

Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked. And in Windows Vista you just can't kill them, period.

That assessment comes from a recently published paper by security expert Paul Hoffman, who writes: "This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certificate authority as untrusted unless the user turns off the Windows component that controls this feature. … Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: The user cannot mark them as untrusted."

Hoffman believes these limitations could cause significant problems for some organizations.

"If you are in an organization that needs to delete a root, it is very serious," he tells me. "Few corporations have felt a need for that so far, but it certainly affects government (agencies with strict cryptography rules). It also has a serious effect on corporations that are worried about their competitors who happen to be Microsoft-blessed certificate authorities."

As relates to Vista, the paper explains: "After extensive searching, I could not find a way to remove certificate authorities trusted by Microsoft from Windows Vista. Even if there is a way to do this, there seems to be no equivalent of the Update Root Certificates program that can be turned off. ... This leaves Windows Vista users always having to accept Microsoft's silent updating of their root certificate store."

"The Vista part is definitely worse, even though it is more obvious," Hoffman tells me. "Fortunately, the Vista one is the easier one for Microsoft to fix."

Asked to comment on the paper's conclusions, a Microsoft public relations spokesperson told me, "We don't have any information to share at this time."

In the paper, Hoffman lists a half-dozen example scenarios under which an organization would feel compelled to remove a root certificate, ranging from criminal actions on the part of the certificate authority to a certificate having expired.

The paper also suggests a number of fixes.

"I wrote the security paper because nearly everyone I mentioned the problem to, even my friends at Microsoft, were surprised about how Windows dealt with the root certificates," Hoffman says.

As for whether the situation represents a Windows feature or a bug?

"Unfortunately, I think they did this on purpose, not thinking about the consequences," he says. "It is not a bug, as far as I can tell. There is nothing in the Microsoft documentation that says 'do X' and X is not possible."

That would be a feature.

A grab-bag from Buzzblog

More stuff from last week's blogging that may be of interest: A survey by the Pew Internet and American Life Project shows that one in five Americans watch video clips online on any given day; news and humor are the leading subjects; and, a whole bunch of those polled are liars if we are to believe that only 6% have watched "adult" material. … An update: That data thief who tried to hit Disney Movie Club members also targeted Johnson & Johnson customers. … And, we once again follow the Web site travails of Bank of America.

The fun never stops at Buzzblog.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.