8

When accessing https://internetbanking.caixa.gov.br (site of a well known bank in Brazil), the server returns a certificate signed by "Autoridade Certificadora Raiz Brasileira" (Brazilian Root Certification Authority). This certificate is not in Window's list of trusted certificates before the access, but it appears there after the access.

Here's the exact steps (tested in Windows XP and 8 with IExplorer and Google Chrome):

  • Open Control Panel -> Internet Options -> Content -> Certificates
  • Verify there is no "Autoridade Certificadora Raiz Brasileira" in the list of trusted root or intermediate cerficiates.
  • Close the open windows
  • Access https://internetbanking.caixa.gov.br
  • Verify no warnings, alerts or confirmations appeared (with green padlock nonetheless).
  • Open Control Panel -> Internet Options -> Content -> Certificates again
  • Verify the "Autoridade Certificadora Raiz Brasileira" certificate appeared in the Trusted Root Certification Authorities tab.

How did that happen? Is there a mechanism that allows a user application to force the OS to trust new root certificates without alerts or confirmations?

BoppreH
  • 336
  • 2
  • 11

1 Answers1

2

In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings

I guess if you didn't remove it yourself, you can add to the above, " if a trusted root certificate is missing, Windows XP will silently add it.

via http://www.proper.com/root-cert-problem/

mcgyver5
  • 6,874
  • 2
  • 27
  • 47
  • The cert is not present in a clean installation, so it's not an issue of being added back. But the site you linked mention an alternative way, which could be the answer: when you try to validate a certificate that chains to a certification authority that is trusted by Microsoft but it is not in your root store, Windows Vista will silently add that certification authority. Doesn't explain the behavior in the Windows XP machine, but it's a start. – BoppreH Dec 02 '13 at 23:42
  • @BoppreH: Microsoft regularly releases updates to the root certificates through Windows Update: http://www.microsoft.com/en-us/download/details.aspx?id=38918 – cmorse Dec 04 '13 at 02:12
  • 1
    Thanks @cmorse, but this doesn't explain why the certificate only appears the moment the website is visited. – BoppreH Dec 04 '13 at 13:20