Thursday, September 8, 2011

Certificate cleanup for most personal computers

Certificate cleanup for most personal computers

Susan Bradley By Susan Bradley

A little Dutch company potentially lets a flood of problems into our Windows machines.

The company manages digital certificates; after its recent break-in by hackers, security certificates for Mozilla, Yahoo, WordPress, and other sites are now suspect.

On a daily basis, no matter what our level of paranoia, we trust the companies we work with. … Well, at least our browsers and computers do. Inside all computers, both Windows and Mac, is a collection of digital certificates that everyone on the Net has agreed to trust. On Vista and Windows 7 systems, these root certificates (definition) are updated by the issuer automatically. But on Windows XP machines, they're updated manually.

Companies doing business on the Internet buy certificates linked to a root certificate and automatically become part of the chain of trust. Because your computer trusts the vendor who provided the root certificate, it automatically trusts all online businesses with associated certificates.

This process is the foundation for secure Web transactions such as shopping on Amazon, online-banking, and e-mail.

Many updates after breaks in the chain of trust

Typically, this system works well. But on the rare occasions it fails — when the chain of trust is broken — it can instantly affect thousands of PCs.

Such is the case with that small company in the Netherlands, DigiNotar. Reports from various sites indicate that hackers compromised the firm's servers and generated rogue certificates. In a Kaspersky Lab Securelist blog, lab expert Roel speculates that as many as 200 rogue certificates were generated before the hack was discovered.

With a rogue certificate in place, a hacker can make your system think it's using a legitimate, trusted certificate from well-known companies such as Google and Yahoo. The hacker can then intercept your Internet connection with the site you intended to use and redirect you to a fake site, where you are tricked into entering personal information such as your user name and password. Your computer still thinks it's connected to a trusted site.

Fortunately for most of us, this particular attack appears to have targeted Internet users in Iran — it's the only country where these rogue certificates were spotted.

Soon after the breach, browser vendors offered updates that removed the Dutch root-certificate holder from their browsers' list of trusted certificate issuers. An August 29 Chrome Online Security blog reported that Google had disabled the DigiNotar certificate authority in Chrome 13.0.782.218.

The next day, Firefox followed suit in a Mozilla Security blog, announcing the release of numerous updates for Firefox (versions 3.6.21, 6.0.1, 7, 8, and 9), Thunderbird (3.1.13 and 6.0.1), and SeaMonkey (2.3.2) that revoked the DigiNotar root certificate.

On September 6, Microsoft released an out-of-cycle update — KB 2607712 — for Windows 2003, XP, Vista, Windows 7, and Server 2008 that not only removed all DigiNotar root certificates from the trusted list but also moved them to the untrusted-certificate store. If you find any DigiNotar certificates in the Trusted Root Certification Authorities list, I recommend you install KB 2607712.

If you do not see these certificates in your trusted-root store, you probably ignored all previous root-certificate updates. You can safely wait until the next Patch Tuesday to install the patch.

Manually removing the certificates from XP systems

Windows XP users have the option of deleting the certificates manually or merely looking over the list of certificates installed to see whether the DigiNotar cert. is there. Here's how:

Start out by clicking on the start button and typing mmc.exe. into the Run box, as shown in Figure 1. You'll see a window pop up typically labeled Console1.

Launching MMC
Figure 1. Opening up the mmc snapin

Click File, then Add/Remove Snap-in. In the Add/Remove Snap-in box, click the Add button, select Certificates (see Figure 2), and then click Add again.

Add Standalone Snap-in
Figure 2. Adding the certificate snap in

Yet another dialog box will open, with three choices. Select Computer account and click Next. Select Local computer (the computer this console is running on) and click Finish. Now close the Add Standalone Snap-in box. In the Add/Remove Snap-in box, click Okay. That returns you to the certificate-management console.

In the left-hand pane of the console, you should now see Certificates (Local Computer) with a small + next to it. Click on the + to expand your selection. You'll now see numerous folders, starting with Personal and including Third-Party Root Certification Authorities, as shown in Figure 3.

For more information on what folders you might typically see, check out the superuser post, "What are the Windows system certificate stores?" (In my example, the Windows XP system is a client of Windows Home Server and thus has a WHS certificate folder you probably will not see on your XP machine.)

Console Root certificates
Figure 3. Reviewing the list of certificate types

Now expand the Trusted Root Certificate Authorities folder and click on the certificates folder underneath. You should now see a list of certificates in alphabetical order (see Figure 4). Find any DigiNotar Root CA certificates and remove them from your computer.

An alternative way to remove certificates is through Internet Explorer. In IE, click Tools/Internet Options/Content and then Certificates. Click Trusted Root Certificates. Find the listings for DigiNotar Root CA (there are two in Figure 4) and remove them by clicking the Remove button. Click Yes to the warning that removing these certificates may prevent Windows from working properly. Then click Close and Okay.

Removing the DigiNotar root certificate
Figure 4. Removing the DigiNotar certificate.

If you don't see these two certificates in your trusted-certificate store, it's because you've probably used the "if it ain't broke, don't fix it" rule of updating and thus ignored previous root-certificate updates. (I found one system without the DigiNotar certificate, and when I installed the latest root certificate — KB 931125 — the rogue certificate appeared.)

Think you're safer running the Apple platform? Guess again! Apple also included DigiNotar in its trusted root certificate program. In Apple it's a little more complicated to remove this rogue cert — a FairerPlatform blog has the details. Apple will most likely release a patch for its platform soon.

This issue exposes the vulnerable underbelly of trust of certificates, a process we may really need to start questioning. The listing of certificate authorities includes companies from countries that aren't always friendly to one another — and companies that have already been in the news for security breaches. If one small certificate authority in the Netherlands can be used in this type of potential spoofing attack, I hate to imagine what mischief can be done with a larger organization.

Needless to say, I may recommend holding off on future root-certificate updates until they have been examined more closely. In some cases you might be better off editing your existing root certificates rather than blindly adding updates.

Bottom line. If you have the DigiNotar certificate in your trusted-root certificate store, I recommend installing KB 2607712. On XP and Server 2003 systems, this will force a reboot — so plan accordingly. If you do not have the DigiNotar certificate in your trusted-root certificate store, simply wait for the next Patch Tuesday and apply it then.

No comments: