How can I protect myself against software installing insecure root certificates?

Question

With the recent news that Dell installed a root certificate with a publicly accessible private key on their notebooks, I'm wondering how I can protect myself against this kind of incompetence. Of course I can't fully protect myself against actually malicious attacks by the vendor if I execute their binaries, but I would like to be notified if any program installs a root certificate that compromises my security.

Doing a clean Windows installation is something I do anyway, but as far as I know this wouldn't help in this case as the certificate was added by Dell software. And I probably need to install at least some Dell software for the drivers. I'd also like to prevent certificates from other sources to be installed without my knowledge.

Is there an easy way to verify if any root certificates are installed that aren't the default ones that come with Windows?

About drivers, most of them can directly be downloaded from the device's manufacturers (Nvidia, Intel, etc), and not only do you get updated versions (most OEMs never bother putting updated drivers on their support pages) but these hardware manufacturers have no incentive in embedding OEM crap in their drivers, so you should be safe. — André Borie, Nov 24 '15 at 07:44
IMHO, Microsoft needs to do something about this - they should make it part of their Windows OEM terms and conditions that manufacturers do not mess with root certificates or CAs. — JonnyWizz, Nov 24 '15 at 08:34
@JonnyWizz apparently there are EU anti-trust laws that prevent Microsoft from telling OEMs what to do and what not to do. Just like the cookie law, here's yet another example of why politicians do more harm than good in IT. — André Borie, Nov 24 '15 at 08:44
Related question: Check root certificates and certificate authorities on new PC — StackzOfZtuff, Nov 24 '15 at 09:50
Dell seems to install more than one root cert with private key. Besides "eDellRoot" there's also "DSDTestProvider" that is installed by the Dell System Detect software as shown here: https://youtu.be/DYLYG76o55c — x457812, Nov 24 '15 at 15:36
Possible duplicate of Reset Windows trusted certificates store to its default — Pablo A, Mar 28 '19 at 17:20

score 3 · Answer 1 · answered Nov 25 '15 at 22:22

There isn't a completely sure way.

The best option I can think of is to check the certificate store before and after running software installs. If a new root CA is installed, consider your computer compromised, publicly post about the issue, and reformat.

There is inherently a lot of trust involved in installing software as the installer is given fairly broad rights on your system. Post-install app usage is not such a concern unless the app systemically uses UAC elevation to gain superuser privileges.

This is a very old problem. Ken Thompson's Turing Award Lecture Reflections on Trusting Trust was back in the ever appropriate year of 1984.

How can I protect myself against software installing insecure root certificates?

1 Answers1

Linked