Articles in Root

The Cons of Turning Off Root Update


What is the Automatic Root Update?

There is a componant built within Windows called the Automatic Root Update.  This componant allows Windows XP computers to contact Microsoft directly so that they can keep an up to date record of the current Trusted Root Certificates.  When Windows XP is installed, it comes preinstalled with the valid root certificates that were trusted at the time of Windows XP's debut.  QuoVadis Root certificates are not automatically in this list as Windows XP was released before QuoVadis was established.  As QuoVadis SSL certificates are trusted by Microsoft, the only way that Windows XP can update its root store to match is through the Automatic Root Update.

Turning Root Update Off

There are times when security settings call to turn off the Automatic Root Update within Windows using Group Policy Objects.  This however will prevent the QuoVadis Root certificates from being installed.

This is not the only downside to turning this setting off.  Microsoft not only updates provide certificates that are trusted, but they also update the list to remove certificates that are no longer trusted.  If a root or intermediate certificate issued by a CA needs to be revoked for security reasons, it's 'detrust' status is also pushed out though the automatic root update.

This means that if you have Automatic Root Update turned off, then you could be potentially trusting bad intermediate and root certificates - which includes all of their issued certificates.

Example 1 - This is a scenario that demonstrates what could happen.

Windows XP includes the following Root Certificate in its Trusted Root Store:

LeafBurn Root Certification Authority

This Root CA certificate issues out code signing certificates which are used to sign Windows applications.

Your Windows Automatic Root Update is turned off due to 'security'.

The LeafBurn Root Certification Authority's key become compromised by a group of hackers.  They find a way to issue a code signing certificate for Microsoft Corporation.  These hackers then create an application that contains malicious code and malware and disguise it to look like a known Microsoft application that your company relies on.  They then sign the application with the code signing certificate they created for Microsoft Corporation.

Microsoft takes note of this and revokes and untrusts the LeafBurn Root Certification Authority certificate from its certicate store.  (As a side note, generally when this happens, Mozilla, Apple, Google and other vendors follow suit).

As your organisation does not automically update their root store, they do not receive this update to untrust the certificate and therefore still trust it.

You manage to get a copy of the malicious software that is disguised at the application that your company uses.  Because you still trust the certificate, when run, it does not display an error and appears to come from Microsoft Corporation.  The application is run where it is free to cause damage.

This is a real scenario of what could happen. Although the LeafBurn CA mentioned above is not a real CA, this scenario has happened before.

Windows Vista, Windows 7 and Windows 8

The certificate store update methods changed slightly with Windows Vista, Windows 7 and Windows 8.  Unlike Windows XP where the certificate store shipped with as many certificates as it could, later versions of Windows ship with only the certificates it requires to operate in the Trusted Root Certificate store.  The Windows Componant named Automatic Root Update is no longer an option and is implemented by default.  Whenever one of these Operating Systems encounters a new certificate, it will contact Microsoft to see if its Root Certificate is trusted.  If it is, then it will install only that Root Certificate silently.  The user is unaware of this transaction.
Important Note: Group Policy Objects can turn off Automatic Root Update for Windows Vista, Windows 7 and Windows 8.