Microsoft 'silently' restores root certificates that users distrust and remove

Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked, according to security expert/blogger Paul Hoffman.

And in Windows Vista you just can't kill them, period.

From a paper Hoffman posted this week:

This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certificate authority as untrusted unless the user turns off the Windows component that controls this feature.

Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: The user cannot mark them as untrusted.

Hoffman believes these limitations could cause significant problems for some organizations.

"If you are in an organization that needs to delete a root, it is very serious," he tells me. "Few corporations have felt a need for that so far, but it certainly affects government (agencies with strict crytography rules). It also has a serious effect on corporations that are worried about their competitors who happen to be Microsoft-blessed certificate authorities."

As relates to Vista, the paper explains:

After extensive searching, I could not find a way to remove certificate authorities trusted by Microsoft from Windows Vista. Even if there is a way to do this, there seems to be no equivalent of the Update Root Certificates program that can be turned off. ... This leaves Windows Vista users always having to accept Microsoft's silent updating of their root certificate store.

"The Vista part is definitely worse, even though it is more obvious," Hoffman tells me. "Fortunately, the Vista one is the easier one for Microsoft to fix."

Asked to comment on the paper's conclusions, a Microsoft public relations spokesperson told me, "We don't have any information to share at this time."

In the paper, Hoffman lists a half-dozen example scenarios under which an organization would feel compelled to remove a root certificate, ranging from criminal actions on the part of the CA to a certificate having expired.

The paper also suggests a number of fixes.

"I wrote the security paper because nearly everyone I mentioned the problem to, even my friends at Microsoft, were surprised about how Windows dealt with the root certificates," Hoffman says.

As for whether the situation represents a Windows feature or a bug?

"Unfortunately, I think they did this on purpose, not thinking about the consequences," he says. "It is not a bug, as far as I can tell. There is nothing in the Microsoft documentation that says 'do X' and X is not possible."

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

The 7 Wonders of the Internet ... A Buzzblog community creation.

Disney data thief also hit Johnson & Johnson.

When a cell phone goes through the washer.

Diggers dig nothing more than Digg.

Nothing says summer like a Christmas catalog on July 10.

Disney Movie Club members victimized in latest data-breach horror show

How to avoid having to hire an American: lawyerly advice.

The emoticon is turning 25: You can thank this guy :-) ... or not :-( And vote in our poll.

Even Apple doesn't know why time stands still on the iPhone.

Casino bans author of Word for being lucky.

BlackBerry owes this guy a girlfriend.