2

I'm reading about Extended Validation (EV) certificates and have a few questions. From what I understand, EV allows domain owners to pay extra for a especially trusted certificate (that the browser will honor with special display properties) and it requires CAs to do extra steps to verify that the issued certificates are valid. The Microsoft documentation says that domain administrators can add certificates to Internet Explorer that they would like to be viewed as EV (useful for internal applications). My question is, if they can manipulate the EV list in Internet Explorer, what is stopping my domain administrator from doing the same thing as These guys and buying a subordinate root certificate for some outside site and adding it to my IE browser as an EV certificate?

Second question: In Firefox, for example, the list of certificates with EV status are "embedded" in the browser. If I do a custom build of Firefox, can I manipulate this embedded list?

San Jacinto
  • 73
  • 1
  • 6
  • Just a heads up that 'pay more to do extra steps' is a little vague: DV checks that you control a domain (which could be any domain), EV checks the legal entity that you say controls the certificate. – mikemaccana Jan 01 '18 at 22:45

1 Answers1

3

That one is simple: in a windows domain environment, domain administrators have the capability of doing ANYTHING they want with your machine. In a sense, your machine is more their machine than yours.

That includes, of course, manipulating the certificate store to add (or deny) any kind of trust relationship they want.

That is, to use the usual turn of phrase, a feature and not a bug.

Now, the real question is, of course, "how do I protect myself from rogue admin?" (or perhaps "who watch the watchers?"). That one is hard to answer (ask the NSA about it).

The simplest way is simply no to allow anyone you can't trust with the domain administrator password. In small shops, that could means that only the domain owner knows the domain administrator password. It is also typically controlled by contracts and internal rules stating who is allowed to do what, how and under what kind of supervision.

In any case, that's an issue that should not be approach through technological means, at least until you're 100% sure you need it because the ways to improve on the situation through technical limitation are cumbersome, expensive and far from being 100% efficient.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • Talking just about EV Certificates, how would they manipulate the list of EV Certificates in Firefox or Chrome? – San Jacinto Nov 21 '13 at 21:18