The "Universal ADB Driver" for Android devices[1] also installs a root CA, however it instead generates the CA during install, signs the driver, deletes the private key, then installs the CA and driver.<p>1. <a href="https://github.com/koush/UniversalAdbDriver" rel="nofollow">https://github.com/koush/UniversalAdbDriver</a>
I am not saddened by this event, but by the fact that such occurrences will only add momentum to the movement to lock down computing devices and take freedom away from their users:<p><a href="https://news.ycombinator.com/item?id=12061320" rel="nofollow">https://news.ycombinator.com/item?id=12061320</a><p>Those worrying about security should remember that device drivers already run in ring 0 and can do anything they damn well please.<p>Thus I say: Good on Savitech for not being afraid to rebel against; and fuckings to the corporatocracy that is certificate authorities and the authoritarian security industry.
Why does Windows allow programs to install root CA certs without separate user intervention (beyond the initial "grant admin permissions" dialog)?
I would honestly be more worried about the root CAs which are enabled by default in the most popular OSes and browsers, with root CA privileges for government of China controlled entities, Turkish government entities and unethical/shoddy root CAs such as Symantec. The Netherlands recently passed a law allowing the government specifically to use false keys and run MITM on crypto, which brings into question all .NL based CAs.
It seems unacceptable to me that the updated drivers do not automatically uninstall the CA. How is an ordinary user meant to navigate the certificate store and delete the CA?
Phrased differently: operating system Microsoft Windows allows silent installation of Root Certificate during installation of unrelated USB driver installation, despite featuring a micro-kernel design.
Can someone explain root certificates to me and why this is an issue? I know they sign certificates with a private key at a high level, but don't get the implications of that generally.
>Microsoft provides guidance on deleting and managing certificates in the Windows certificate store<p>Microsoft should mark these as malicious and quarantine them using their built-in AV. If the end user needs them he can remove them from quarantine. Posting advisories no end user will ever see isn't helping much.
The only version of Windows XP that enforces driver signing is the unicorn 64 bit one, surely they didn't develop the driver for that?<p>And what kind of odds do I get on the certs having a EKU for anything but driver signing?