[cabfpub] Draft Zurich F2F Meeting agenda

Richard Wang richard at wosign.com
Wed Apr 8 01:42:06 UTC 2015

Thanks for so detail information.


Why I raise this problem is most bank in China install its own root to Windows trusted root while install the USB Key CSP, but the User key certificate don’t have EKU limit that user can use this cert to sign malware that the signature is trusted by Windows.  This is a big security problem.

Another problem is the trusted signed malware modify the local host file and install its own root to trusted root, then redirect to the fraud bank site, but the browser don’t have warning.


This is why I suggest browser and Windows should not trust manually installed root.



Best Regards,




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, April 8, 2015 9:24 AM
To: Richard Wang
Cc: Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] Draft Zurich F2F Meeting agenda




On Tue, Apr 7, 2015 at 5:51 PM, Richard Wang <richard at wosign.com <mailto:richard at wosign.com> > wrote:

Anyone think this problem need to discuss in next F2F meeting?


There's two parts to this proposal

1) Browsers should not trust manually installed roots

2) Browsers should detect local resolver modifications


To both problems, I'd point you to this FAQ about Chrom[e/ium]'s security model - http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-


That is, if you can manually install a root in Windows, it generally requires administrative access. To install a root in Firefox, you just need user-level access (since the root store is just a file next to Firefox). No browser can reasonably defend against a model in which any mitigations can easily be patched away.


Similarly, to modify the resolver, you require administrative privilege. If you have that privilege, you can already modify whatever mitigations the browser may have.


Microsoft's Security team put together a helpful discussion about computer security principles, which they aptly named the "Ten Immutable Laws of Security". You can find them here - https://technet.microsoft.com/en-us/library/hh278941.aspx


For this problem, Immutable Laws 1, 2, and 6 all apply.


Hopefully this provides a further understanding about the reasoning when I say that there is no interest from us on this topic. Respecting a device's configuration, even when that configuration might be done by a "hostile administrator", is, to us, working as intended - in that it is the administrator's device to configure as they wish.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150408/b6517b6e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5112 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150408/b6517b6e/attachment-0001.p7s>

More information about the Public mailing list