Microsoft 'silently' restores root certificates that users distrust and remove

Paper posted by security expert contends

Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked, according to security expert/blogger Paul Hoffman.

(2010's 25 Geekiest 25 Anniversaries)

And in Windows Vista you just can't kill them, period.

From a paper Hoffman posted this week:

This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certificate authority as untrusted unless the user turns off the Windows component that controls this feature.

Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: The user cannot mark them as untrusted.

Hoffman believes these limitations could cause significant problems for some organizations.

"If you are in an organization that needs to delete a root, it is very serious," he tells me. "Few corporations have felt a need for that so far, but it certainly affects government (agencies with strict crytography rules). It also has a serious effect on corporations that are worried about their competitors who happen to be Microsoft-blessed certificate authorities."

As relates to Vista, the paper explains:

After extensive searching, I could not find a way to remove certificate authorities trusted by Microsoft from Windows Vista. Even if there is a way to do this, there seems to be no equivalent of the Update Root Certificates program that can be turned off. ... This leaves Windows Vista users always having to accept Microsoft's silent updating of their root certificate store.

"The Vista part is definitely worse, even though it is more obvious," Hoffman tells me. "Fortunately, the Vista one is the easier one for Microsoft to fix."

Asked to comment on the paper's conclusions, a Microsoft public relations spokesperson told me, "We don't have any information to share at this time."

In the paper, Hoffman lists a half-dozen example scenarios under which an organization would feel compelled to remove a root certificate, ranging from criminal actions on the part of the CA to a certificate having expired.

The paper also suggests a number of fixes.

"I wrote the security paper because nearly everyone I mentioned the problem to, even my friends at Microsoft, were surprised about how Windows dealt with the root certificates," Hoffman says.

As for whether the situation represents a Windows feature or a bug?

"Unfortunately, I think they did this on purpose, not thinking about the consequences," he says. "It is not a bug, as far as I can tell. There is nothing in the Microsoft documentation that says 'do X' and X is not possible."

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

2010's 25 Geekiest 25th Anniversaries.

Google restores disparaging 'Islam is' search suggestions

Burglars target wrong techie.

Dreaming of a white Christmas? What are the odds?

Yikes! Women regain lead in online Trivial Pursuit "battle of the sexes."

"Hey, kids, screw homework; play more Wii. Love, Mom and Dad."

Unisys exec brags about sending U.S. IT jobs to India.

This lamp lets your phone company pay for the electricity.

Facebook blocks "Web 2.0 Suicide Machine."
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.