Jump to content
CCleaner Community Forums

microsofts backdoor - perhaps one more reason for firefox

Recommended Posts

Although I have no problems reading german, I let GOOGLE do a translation from german to dutch and GOOGLE did a decent job translating the article. Far from perfect but it was "readable".

Link to post
Share on other sites
  • 2 weeks later...

here the google translation...


Doubtful updates endanger SSL encryption

What makes Windows when it encounters an encryption certificate whose authenticity can not check? It does not beat about the alarm, but asks Microsoft to see if you happen to know someone there who wants to explain the certificate for real.


On the encryption of Windows can not really be relied upon. For over a largely unknown function, Microsoft - as commissioned by the NSA - the system at any time and invisibly to the user push a new certificate. Certificates are for example used to encrypt https-connections, the transmission of important data and thus to protect from eavesdroppers. So that your browser can also be sure that he is actually speaking with your financial institution on the other end of such an SSL connection, which presented by the bank when calling the website certificate from a trusted certificate authority (CA) must have been issued. In order to check that every browser has a list of trusted root certificates; Internet Explorer uses the Windows.


But few people know that the Windows CryptoAPI provides a mechanism that updates the list of root certificates dynamically when needed just is not found on the system. Microsoft has this "Automatic Root Certificates Update" introduced without fanfare years ago and enabled by default on all Windows versions.


Asserts that a server's certificate as https://www.correo.com.uy that it has been certified by a certification authority that does not know the browser, Windows loads via the Windows Update server downloads the file "authrootstl.cab". It contains digitally signed information about other root certification authorities; find the sought - So for the above host "Correo Urugayo - Root CA" - in the list whose certificate is downloaded and installed in the certificate store of the system as a trusted publisher.


Windows does not inform the user of this operation. The import is hidden in the background by a system process for the entire system. Even on a Windows Server 2008 so a user without special privileges by calling a URL, a new root CA anchored in the system; he can then no longer be removed from the system.


If you think that would affect only the Internet Explorer and he was with Chrome or Safari on the safe side, you are wrong. Both browsers use the crypto infrastructure of the operating system - Windows so also the KryptoAPI - and thus show exactly the same behavior as the Internet Explorer. Only Mozilla maintains its own crypto libraries. This Network Security Services (NSS), neither the CA from Uruguay still a comparable dynamic update mechanism. Consequently, Firefox displays when you call the above URL, as expected, a security warning.


The problem with dynamically reloaded CA certificates is that thus the TLS / SSL encryption can be easily overturn. In principle, it is thus possible to certain people or groups at any time foist additional certificates that allow breaking the encryption as a man-in-the-middle. With a secretly subsequently installed CA certificate about the NSA could read along the entire SSL-encrypted network traffic of a target person. Of course, such a CA then compromise and S / MIME-encrypted mails or sign Trojans so that they can pass as a legitimate driver software.


It is here, mind to CAs to be installed selectively and almost invisible on individual PCs, check given certificates. This is something completely different than documented, publicly available updates to the trust the crypto infrastructure, for instance via the global Windows Update mechanism. To our questions, why has also implemented a dynamic reload mechanism, Microsoft did not answer.


What CAs nachinstallliert in this way, you do not know exactly. There is a wiki with a list of certified CAs for Windows 8 [2]; whether this is really complete, but one can hope at best. Currently contains delivered in Germany dynamic list authsrootstl.cab about 350 CAs. But even if this should correspond to the list in the Microsoft wiki, it is not known whether changes in this list if necessary.


Already, the certificate lists of the content distribution network are delivered by Akamai, so it would be no problem, as users in China or Germany to present a different list than US citizens. Given the already documented in the context of PRISM collaboration between Microsoft and the NSA must assume that such backdoors in encryption functions are used for the collection of information.

Link to post
Share on other sites


In versions of Windows with Group Policy Editor, you can simply turn off the auto-update the CA list. Enlarge The automatic updating of the root CA can indeed adjust by using Group Policy, you can create gpedit.msc in the editor. On a Windows 8 without group policy editor turned generating a DWord value DisableRootAutoUpdate = 1 in the registry under HKLM \ Software \ Policies \ Microsoft \ System Certificates \ AuthRoot the unwanted automatic updates from CA. But quite easily is not. Because Microsoft ships with only a very reduced set of CA certificates about Windows 8. The website of the telecom CA Even the call https://www.telesec.de, Firefox innately familiar with it will cause an error in IE, Safari and Chrome.


Against any lasting doubts whether the SSL encryption in Windows really can not offer the expected protection from unwanted eavesdroppers, so that ultimately helps only the change of the operating system. If you are afraid to, can at least switch to Firefox, which comes with its own cryptographic services.

Link to post
Share on other sites

In versions of Windows with Group Policy Editor, you can simply turn off the auto-update the CA list.


--> windows explorer

--> c:\Windows\system32

--> gpedit.msc - open

--> navigate to...

--> Administrative Vorlagen (administrative templates)

--> System

--> Internetkommunikationsverwaltung (Internet Communication Management)

--> Internetkommunikationseinstellungen (Internet Communication settings)


--> on the right window...

--> Automatisches Update von Stammzertifikaten deaktiveren (Disable Automatic Root Certificates Update)

--> set on "yes"



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...