5

I've heard many people imply that modern browsers and OSes trust a myriad of root certificates. The implication is that it is impossible to ensure the private keys of all of the root certificates installed on your system are, in fact, in control of trustworthy organizations. The oft cited trusting of the Hong Kong Post Office root certificate seems to be evidence of rampant growth of the list of trusted root certificates.

I just checked my Windows 8.1 computer's certificate store:

enter image description here

It seems to show only 46 trusted root certificates from about 20 organizations. Furthermore, there are only a handful I don't recognize and the infamous Hong Kong Post Office is nowhere to be seen. It seems rather manageable to audit a list of root certificates this size.

My questions are:

  1. Is there some other stash of trusted root certificates that Windows and browsers are relying on?

  2. Are there other systems or versions that have/had a much longer list of trusted root certificates?

  3. Did Windows ever trust the Hong Kong Post Office root certificate by default?

alx9r
  • 569
  • 4
  • 18

2 Answers2

7

Since Windows Vista and Windows 7, Windows has an automatic procedure of downloading new root certificates. So for example if you connect to https://www.hongkongpost.gov.hk/index.html and Windows does not (yet) have the root certificate, the root will be downloaded from Microsoft if Microsoft thinks the root can be trusted. So to answer your question, it's unclear exactly how many roots certificates are in your store since the store gets updated automagically. See for some info How Windows updates root certificates. According to this article you can disable this automatic update procedure.

martijnbrinkers
  • 690
  • 4
  • 7
  • I just confirmed this. Going to https://www.hongkongpost.gov.hk/index.html results in `Hongkong Post Root CA1` added to the "Trusted Root Certification Authorities". – alx9r Feb 12 '15 at 15:16
  • 6
    Seems equivalent to having one root certificate, which belongs to Microsoft. – user253751 Feb 12 '15 at 18:37
1

To answer number 3: It is in my list of trusted root certificates (windows 8.1)

Windows uses these settings you are looking at, and some browser have their own list, others depend on the windows list of trusted roots.

Chrome seems to use the OS: http://www.chromium.org/Home/chromium-security/root-ca-policy

Firefox has it's own list: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/

Erik Oppedijk
  • 131
  • 7
  • Can you tell me exactly where you found the Hong Kong Post office root certificate? I've checked on both my windows 7 and 8.1 machines and haven't found it. – alx9r Feb 12 '15 at 14:50
  • in the same MMC view you looked, Computer store, trusted roots. Also in IE, in the list with trusted roots (different UI, same stores) – Erik Oppedijk Feb 12 '15 at 15:31
  • Thanks Eric. It looks like the reason for the discrepancy is that [Windows automatically updates the root certificate store as needed](https://security.stackexchange.com/a/81524/12100). – alx9r Feb 12 '15 at 15:54