Cleaning out my root CAs

[Danielx64]

Hello all,

It started with this post from Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI that talks about your root CAs.

HTTPS/443 needs a root CA on the device to effectively be intercepted. When we run intercepts for corporations as directed to do this via their legal department, we take our self generated RCA and implant it on the PC. Once our self generated RC is installed we can peel apart ALL of their 443 traffic without them having any knowledge of it. Spooks have been known to do this, or exploit an issued CA, etc. Which is why you need to always 'mind the store' with your CA's or you can get into some trouble. I wonder how many people reading this still have the revoked Equifax Trusted Root CA on their PC's? Go check, I bet you do. Which means you aren't minding your CA's.

Does anyone here have any advice on what root CAs that I can remove from my system without any issues? Is there an easy way to find and remove revoked CAs?

Thank you

 

[Cch123]

You can't just remove legitimate root CAs without any potential issues. In order to intercept HTTPS, someone has to install a CA that they control on your PC; it is those certificates that you an remove safely.

 

[Sunshine-boy]

Try:
RCC Download
Sigcheck

 

[Danielx64]

Try:
RCC Download
Sigcheck

Thank you for the links, I downloaded RCC and I did a quick cleanout of my CAs

 

[ForgottenSeer 58943]

You can't just remove legitimate root CAs without any potential issues. In order to intercept HTTPS, someone has to install a CA that they control on your PC; it is those certificates that you an remove safely.

Cch is correct.. Messing with Root Certs is serious mojo. Don't do it unless you know most of the certs or have a validation list. You can manually go through and check for revoked ones still active. Check for inserts CA's, check for revoked ones still there in fully glory (very dangerous), and you should be good.

However, be advised that if you delete the Equifax one, it will return in all of it's revoked glory within a day. You need to leave it there but go in and disable it while leaving it there so it won't re-install over itself with an activated revoked one.

 

[boredog]

ForgottenSeer 58943

How is the Equifax Cert getting on our systems? Do you dissable both certs or just the one?

Thanks

 

[509322]

ForgottenSeer 58943

How is the Equifax Cert getting on our systems? Do you dissable both certs or just the one?

Thanks

Equifax is a Certificate Issuing Authority just like Symantec, COMODO, DigiCert, etc.

Do a clean install of Windows and you will see that root cert is shipped with Windows.

After deleting it, Windows will look up the list of current root CAs and reinstall it. It will keep reinstalling it until that CRL list expires and the certificate authority is removed. Well, guess what, nobody is about to remove Equifax from the list of trusted root certificate authorities.

Revoked certificates can still work as they can (incorrectly) continue to be accepted. For example, if you are using OpenVPN client, then you installed its revoked certificate.

Certificates are not face-value, WYSIWYG, straight-forward common sense. In other words, a revoked certificate is not automatically nor necessarily a "disabled" certificate. At its most basic level, all revocation means is that the trust in the certificate has been withdrawn.

 

[ForgottenSeer 58943]

ForgottenSeer 58943

How is the Equifax Cert getting on our systems? Do you dissable both certs or just the one?

Thanks

If you delete it, it will come back. If you format the system, it will reinstall. It's not properly being revoked and is being left as a trusted and enabled certificate despite the trust being withdrawn. Nobody has a real answer about it that I can find, but you'd better disable them if the trust is revoked, for your own good. To my knowledge, disabling it doesn't break anything. At least nothing I have noticed. GEOTRUST issued those Equifax Certs and has been warning people that if they are left active regardless of the revoke status, you should disable them;

Certification Revocation List – GeoTrust
Certificate Revocation List
The following is a list of certificates which have been revoked, are no longer valid, and should not be relied on by any system user.

 

[boredog]

It also appears GeoTrust Global CA should be dissabled according to the link you posted.

 

[codswollip]

It also appears GeoTrust Global CA should be dissabled according to the link you posted.

I tried this and lost all access to *.google.com sites.
Download Root Certificates - GeoTrust

OTOH, I noticed that those "scoundrels" at Ruiware installed a WinPrivacy certificate, and of course, all settings were checked. So "delete".

 

[boredog]

OTOH, I noticed that those "scoundrels" at Ruiware installed a WinPrivacy certificate, and of course, all settings were checked. So "delete".

Did you delete it or dissable it ? I have WinPatrol WAR and do not see a cert for it. Is it under a different name?

 

[codswollip]

Did you delete it or dissable it ? I have WinPatrol WAR and do not see a cert for it. Is it under a different name?

It was under WinPrivacy". I deleted it. I removed all my Ruiware programs. No no need for a certificate.

 

[boredog]

It was under WinPrivacy". I deleted it. I removed all my Ruiware programs. No no need for a certificate.

Was it located in the trusted cert section because like I say I don't see one at all on my machine. Were you using the paid WinPatrol WAR version?

 

[codswollip]

Was it located in the trusted cert section because like I say I don't see one at all on my machine. Were you using the paid WinPatrol WAR version?

Yes - a trusted cert. I've used all WinPatrol products at one time. If I had to guess this spawned from WinPrivacy, not WAR.