Self-signed certs unrestricted in Windows XP

From: Andrew Daviel (advax_at_triumf.ca)
Date: 12/14/03

  • Next message: JeiAr: "Multiple DUWare Product Vulnerabilities" 
    Date: Sun, 14 Dec 2003 12:22:57 -0800 (PST)
To: bugtraq@securityfocus.com

    It appears that if a self-signed (test) certificate is installed under
    Windows XP, that it acquires all (or an unreasonable number of) privileges
    by default.

    I was testing a webserver and Java applet which I had signed with
    a self-signed cert (https://andrew.triumf.ca/mterm/)

    I notice that under Windows XP, if I elect to accept the certificate
    permanently, and then go to the Content tab in "Internet Options" in IE,
    that I see my cert is installed under "Trusted Root CAs", and if I click
    Advanced, that it is by default trusted for a large number of purposes
    such as driver verification and time stamping; I can change this (and did)
    under "View->Details->Edit Properties".

    I would have assumed that it would only be trusted for "Server
    Verification" (and for the Java certificate, "Code Signing")

    (In Netscape 4 or Mozilla on Linux, the server cert is installed only as
    an "SSL Server Site", while the Java cert, although installed as a CA,
    does not by default certify network sites, and is not used for local
    functions such as filesystem encryption, software package verification
    etc.)

    Since by default self-signed certs are not trusted, and generate a lot
    of alerts if used, I don't see this a big problem. But on occasion
    someone may use such a cert to provide protection against eavesdropping at
    zero cost, and tell users "if you install the cert you won't get the
    popups every time you connect", without taking the same precautions to
    safeguard the private key as they might otherwise have done.

    (It might be nice to have a mechanism to trust a certificate for
    only one object, but I guess things don't work like that) 

    -- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca
  • Next message: JeiAr: "Multiple DUWare Product Vulnerabilities"

    Relevant Pages

    • RE: updates after format
      ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
      (microsoft.public.windows.mediacenter)
    • Re: Windows Update repeats
      ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
      (microsoft.public.windowsupdate)
    • Re: Connecting PDA/Phone to Web Services using SSL?
      ... I even used the SslChainSaver tool that Scott(from the Windows ... only the root cert was required. ... make a successful connection to the web service using SSL. ... a Windows 2003 AD domain with Certificate Services installed on the DC. ...
      (microsoft.public.dotnet.framework.compactframework)
    • Re: Certificate Services and Synching with Exchange
      ... Yes, installing the cert and self-signing worked, but only because ... Yes, I had to manually export and install it, but it was trivially ... You export the cert from the MMC to a .cer file. ... Will installing Certificate Services and self-signing a certificate ...
      (microsoft.public.pocketpc.activesync)
    • Re: Terminal Services over a VPN
      ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
      (microsoft.public.windows.terminal_services)