4

Is there a source that monitors popular root stores for CAs controlled by government agencies?

There are several "root stores" that maintain a list of trusted root CAs. These root stores are imported and used by thousands (millions?) of apps to determine which https certificates are trusted. Their contents has a huge impact on the entire X.509 security infrastructure.

A few examples of such trusted root stores include those maintained by the following organizations:

  1. Mozilla
  2. Microsoft
  3. Apple

Most of the CAs in these root stores are private corporations that issue certificates for customers, such as Verisign. Depending on the policy of the root store maintainer (see links above), the list may also contain CAs controlled by nonprofit organizations or government agencies.

In the past, the maintainers of these root stores have removed CA's root certs for corporations who had lost control of their root certificates. [8][9] Similarly, there have been several historic controversies with CAs operated by government agencies. [10][11] And also with private entities that have been accused of being malicious actors (cyber-mercenaries) on behalf of governments. [12]

I'm especially interested in knowing which Nation States that have been known to initiate cyber attacks (including the use of passive and active MITM attacks) have CAs in these root stores.

Is there a publicly-available list of government agencies that possess root CAs that are listed in popular, trusted root stores?

Michael Altfield
  • 826
  • 4
  • 19
  • also, because subordinate CAs pose the same risks as root CAs, including all subordinate CAs owned by government agencies (whether or not their parent CA is a government agency itself) would be useful – Michael Altfield Jul 01 '20 at 15:30
  • For browsers, the presence of any potentially malicious CA is mitigated (because it becomes permanently visible, the MitM would still happen) though mandatory CT logging of certificates (since 2018). For backend applications that import these stores, I'm not aware of any such policy unfortunately as most TLS frameworks don't easily provide an option for it. – Ginnungagap Jul 05 '20 at 08:29
  • 1
    Even if those gov CAs are not in the root stores, some require you to install the CAs manually on your browser in order to be able to file your taxes online – Albert Gomà Oct 18 '20 at 22:22
  • @AlbertGomà Wow, that's terrifying! Can you please provide an example of governments that require you to add their certs to your browser to file taxes? – Michael Altfield Oct 23 '20 at 22:55
  • 1
    @MichaelAltfield Spain used to require it some years ago but now I see the [tax agency](https://www.agenciatributaria.gob.es)'s cert is signed by the "Chambers of Commerce Root - 2008" from AC Camerfirma S.A. (the first CA on the built-in Firefox list), a [stakeholder of which](http://camerfirma.pymes.com/camerfirma/) is the Spanish [Higher Council of Chambers of Commerce](https://proad.csd.gob.es/presentacion/entidades-colaboradoras/item/570-consejo-superior-de-camaras-de-comercio) which itself is a **division of the Spanish government**. – Albert Gomà Oct 24 '20 at 14:07
  • 1
    @MichaelAltfield I see some [old blogs still have instructions](https://amanecemetropolis.net/navegador-configurado-para-tramites-agencia-tributaria-guia/) on how to install those gov CAs and even the Royal Mint of Spain still has available an old [.exe tool to install their CAs in MS Internet Explorer](https://www.sede.fnmt.gob.es/preguntas-frecuentes/acerca-de-internet-explorer/-/asset_publisher/fVZppcBHj0oa/content/1628-configuracion-para-obtener-o-renovar-el-certificado-con-windows?inheritRedirect=false) – Albert Gomà Oct 24 '20 at 14:20
  • 1
    @MichaelAltfield I just realized the Royal Mint of Spain (**F**ábrica **N**acional de la **M**oneda y **T**imbre **-** **R**eal **C**asa de la **M**oneda) now also has its certs in Firefox's built-in list (**FNMT-RCM**) and they are also the [issuers of the certificate of their own website](https://www.fnmt.es/) – Albert Gomà Oct 24 '20 at 15:46

0 Answers0