Certificate Manager

[RonH]

certmgr.msc brings up a long list of 'approved certificates'.
I understand that such certificates are assigned by a certificate authority. With the recent publicity about Lenovo and Superfish's 'self-signed' root security certificate, is there a way to determine which certificates are necessary, can be trusted and which are not? Or do we just accept 'what is'.
Thanks
Ron

[Argus]

It is difficult. Over time (as they are gathered using the net) and depending on region, country, it can probably vary. There are quite many in a new installation of Windows 7, as you know, and Windows does update the root certificates sometimes. In short: if a computer is connecting to a site and stumbles on a new root certificate, it downloads an updated Certificate Trust List (CTL) (from Microsoft); if the root certificate is on the list it will be downloaded and installed. The best way as far as I know and understand apart from the OS checking is to keep an eye on updated news on Internet security, such as in this case.

See some explanations here:
https://support2.microsoft.com/kb/931125" onclick="window.open(this.href);return false;

Windows Vista and Windows 7
Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.

To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, for Windows Vista and later versions, client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing, or server authentication properties [that is, certificate properties that are added to a root certificate]).

On this page you can find a PDF with a list of Certification Authorities who are members of the Windows Root Certificate Program as of September 2014. Absence of any doesn't mean that they have to be there; just that one hasn't stumbled on one yet.

http://social.technet.microsoft.com/wik ... r-cas.aspx" onclick="window.open(this.href);return false;

Stuart recently posted information in the Security and Backup forum about certificates that should not be there.
Check your certificate store

The link in his post mentions this page for root certificates that are required by the OS to operate correctly.
https://support2.microsoft.com/kb/293781?wa=wsignin1.0" onclick="window.open(this.href);return false;

Speaking of Superfish; one should also uninstall PrivDog if one is unfortunate to have it installed (since it installs a Man-in-the-Middle (MITM) proxy and a trusted root CA certificate.

[RonH]

Thanks Argus for your very comprehensive post and for the link to Stuarts ... I missed that one. A bit of a look through my certificates does not show any of the listed problems so I guess it's best not tampered with. I will rely on Microsoft who over many years have never landed me with significant problems.

I will keep an eye on the security news bulletins.
Ron

[Jay Freedman]

Something mentioned in KB 293781 is worth noting:

Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

On my Windows 7 PC, for example, I see two Microsoft certificates that expired in 1999 and two VeriSign certificates that expired in 2004. Don't assume that it's safe to delete them! They are required.

[RonH]

Good point Jay, thanks for this.
With so many 'flags' being placed on our devices nowadays its really impossible to keep up with everything. You start spending more and more time 'investigating' rather than 'doing' the things for which you purchased the device Every time Apps are updated or new ones installed on my Android tablet/phone the demands for access to just about everything on the device is way over the top. If you don't accept then you don't get the App.
Ron