Microsoft’s Silly Root Certificates
I trust Apple for their usage of cryptography and in implementing it on their operating systems and devices. Overall, Apple has a long track record in using secure enclaves on their devices and has generally advanced digital trust with the latest cryptographic methods. Personally, I do not rate Microsoft highly at all for its digital trust and in the implementation of cryptography. To me, Microsoft is often years behind the rest of the industry when it comes to the usage of state-of-the-art cryptography methods.
So, I might be wrong, but I think Microsoft is adding root CA (Certificate Authority) digital certificates on the fly from the Cloud. This is not good practice and could cause a great deal of problems and become an attack vector. This is especially a problem for air-gapped systems. Other applications, such as for Python, will not trigger a download of trusted root certificates, so it could break some Python programmes. Amongst other strange things, Microsoft also seems to add expired root CA certificates to their new installations of Windows, too.
Just so that you understand the importance of digital certificates, let’s investigate where they are used.
For this, an X509 certificate contains the public key of Bob, and where Bob will sign for data or software with his private key, and then Alice will check the signature using Bob’s public key (and which is taken from the digital certificate). Every digital certificate requires a certificate path that takes it to a root CA (Certificate Authority). Without a root CA, we should not trust the certificate.
Strange certificates in TRCA (Trusted Root Certificate Authority)
I’ve installed Windows 11 on Parallels on my Mac, and I’m really surprised with its usage of root certificates. A particular problem seems to be that several root certificates expired many years ago:
As we see, we have one that goes back to 1999:
It is likely that Microsoft has some legacy software that needs the public key contained on these certificates, and that this software must ignore the expectation that will be caused by using it. This SHOULD NOT HAPPEN!
I may be wrong, but Microsoft does not have the best track record in dealing with cryptography, and there have been many examples of poor implementation.
Another thing that is strange, is that when we install a fresh Windows 11 system, there are only 17 root certificates installed. This will not cover all of the core root CAs. It seems that Windows uses a CTL (Certificate Trust List) within the Windows Update. Users must thus enable Updates, otherwise they are likely to get many warnings on untrusted root certificates:
A current list of trusted root certificates is [here]:
Microsoft Edge, too, checks its own CLT list, and then add next ones to the TRCA (Trusted Root Certificate Authority).
One of the longest expiry times is for DigiCert, and which expires in 2046:
This is a 4K RSA public key:
Some PowerShell code to download the current trusted certificates and check them is here:
# list taken from https://learn.microsoft.com/en-us/security/trusted-root/participants-list
# THANK YOU @ASwisstone https://x.com/ASwisstone ! :)
$content = $null
$content = (Invoke-WebRequest https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFTCSV).Content
if (!$content)
{
Write-Host 'Cannot download list of certs. Exiting.' -ForegroundColor Red
}
else
{
$legitCerts = ($content -join '' | ConvertFrom-Csv).'SHA-1 Fingerprint'
#Grab local certs:
$machineRootCerts = dir Cert:\LocalMachine\Root
$userRootCerts = dir Cert:\CurrentUser\Root
#analyze
$allRootCerts = $machineRootCerts + $userRootCerts
$diffCerts = $allRootCerts | Where-Object {$_.Thumbprint -notin $legitCerts}
#display
if ($diffCerts.Count -eq 0)
{
Write-Host 'All your certs are present on the list.' -ForegroundColor Green
}
foreach ($cert in $diffCerts)
{
Write-Host (($cert.PSPath -split '::')[1]+"`t"+$cert.Issuer) -ForegroundColor Red
}
}