Could merely visiting a web site push a root CA as trusted onto my PC?

4

This is a follow-up question to this other question, which is about Google decision to start distrusting a specific Symantec Root CA certificate. Microsoft on another hand has not made (yet) any decision about that Root CA certificate and it is still present on my Windows 7 machine.

Update: Here's a picture of the Root CA certificate from my machine. The Thumbprint here is the same as the MD2 Version Fingerprint (SHA-1) on the Root CA certificate published by Google in their blog post:

74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

Root CA Cert that Google plans not to trust

Let's say that I delete the certificate from my PC but then later on I browse (using, say, IE v.11) to some website that identifies itself using that certificate.

Can the simple act of browsing to that site cause the certificate to be pushed to my "Trusted Root CA" certs?

SherlockEinstein

Posted 2015-12-19T00:22:22.233

Reputation: 165

No; If you place the certificate in the Windows certificate store in a way indicating you don't trust it that will override the ability for chrome to trust it likewise (Google) can actually choose to specifically not trust it despite the fact you do trust it since Chrome handle certificate retrovcation differently then IE or Edge on Windows – Ramhound – 2015-12-19T15:09:34.117

Thanks @Ramhound for pointing that out. I had considered that as an option (because it was suggested in the answers to my linked question) but I wanted to check what might happen if I outright deleted the certificate instead. – SherlockEinstein – 2015-12-19T15:22:01.310

what would happen depends on if you also delete the root CA which signed the Symantec CA. – Ramhound – 2015-12-19T15:24:17.503

@Ramhound, the Symantec CA in this question is the root CA (it does not have any other certs above itself in the cert chain). So this question is specifically about deleting that root CA. – SherlockEinstein – 2015-12-19T15:29:36.537

Must be a different certificate because I recall questions about a Symantec CA Cert but it wasn't the top root but yes just like Chrome, Windows itself has a list of trusted and untrusted certificates but you can specifically indicate not to trust it if you move it to the machines untrusted list removing it would not result in it not being tristed though – Ramhound – 2015-12-19T15:30:44.730

@Ramhound, thanks for your input, moving it to the untrusted certs list is probably the best option. – SherlockEinstein – 2015-12-19T15:48:45.447

Answers

6

Absolutely. As this root certificate is part of the Windows Trust List, the mere act of browsing to such a site (even as a non-admin user) would cause the certificate to be automatically and silently added to your machine trust store. See this blog post for more info and a test site: http://hexatomium.github.io/2015/08/29/why-is-windows/

John Blatz

Posted 2015-12-19T00:22:22.233

Reputation: 176

As an aside, as nicely explained in the linked blog: this is not limited to Microsoft browsers, but also happens when using Chrome on Windows. – Arjan – 2016-01-25T09:40:00.387

0

If we ignore the possibility of some malware infect your system and adding the cert. Or you manually clicking on a certificate warning and adding some the cert.

Then the answer is that no. Browsers do not automatically add Root certificates to your certificate store while browsing. That would be a huge security problem.

Root Certs are normally added by either

  • Browsers updates
  • OS updates.

Zoredache

Posted 2015-12-19T00:22:22.233

Reputation: 18 453

1In case you missed it: see John's new answer. – Arjan – 2015-12-19T08:53:52.753

Windows does this. And it's counter intuitive. See John's answer below. – StackzOfZtuff – 2015-12-19T09:03:13.203

Asked: 2015-12-19T00:22:22.233

Viewed: 132 times

Active: 2015-12-19T15:45:33.090