How to disable trusted root certificates
As part of my testing of how many trusted root certificates I need for my day-to-day activities, I needed to ensure I don’t trust any certificate authorities. There is a great post by Nelson Bolyard to one of the security mailing lists of Mozilla, which explains why one should not delete CA certificates, but rather disable them. The main take away is that there is a big difference between the statements “I don’t know you” (if you remove the certificate) and “I know you and I don’t trust you” (disabling the certificate). Some browsers also handle these errors differently.
The different browsers store certificates differently. IE, Chrome, and I believe Safari as well (haven’t tested it) on Windows use the OS built-in certificate infrastructure, while Firefox uses its own certificate storage. As such, here are the steps you need to take for the two different cases:
IE, Chrome (Safari?)
You need to run the certmgr.msc utility (either through Start->Run/Search or from a command prompt). This will launch the UI used to manage the certificate stores in Windows for the current user.
CertMgr Certificate Stores
The “Third-Party Root Certification Authorities” stores all the trusted 3rd party CAs. You will find either a fairly small set of those if Windows hasn’t downloaded the full list, or quite a bit of them after the full list has arrived. To disable the root certificates, select the ones you want and drag them to the “Untrusted Certificates” store and drop them under the “Certificates” subfolder. This instructs the certificate infrastructure in Windows to not trust these certificates. The result is that even though you have the certificates in other stores, the operations will fail. The “Untrusted Certificates” store trumps all others, so you don’t have to worry about forgetting a certificate somewhere else.
Keep in mind that doing this in Windows will affect all programs that use SSL/TLS and certificates. I’ve broken my twitter client for example by removing all CAs from the trusted list : ).
Firefox
You will need to click on Tools->Options, select the Advanced category, select the Encryption, click View Certificates, and click on the Authorities tab. This will open up a window with all the trusted certificate authorities. For each of those, once you select it, you can click on the “Edit” button and you will see a window that looks like this:
Firefox Trusted CA
This CA is trusted for all 3 types of identification. To disable the certificate, just uncheck all the check boxes and click Ok:
Firefox Disabled CA
The result is that this certificate is no longer trusted to vouch for the identity of anything. You need to repeat the process for all the certificates you want to disable and I don’t know of an easy way to automate this. For the certificates listed as “Builtin Object Token”, Marsh Ray has tried deleting them and claims that this results in disabling them (since they are built-in and cannot be deleted) after restarting Firefox.
After you have disabled the CA certificates, you can expect SSL/TLS connections to fail if the certificate is issued by a disabled CA.
Have fun browsing with minimized attack surface : )
Tags: Chrome, Firefox, https, IE, SSL, surveillance, TLS, TLS1.1, TLS1.2, trusted CA, trusted root certificates
April 15th, 2010 at 11:28
It has to be built and probably would need some scripting, but:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
April 15th, 2010 at 22:55
After reading the netsekure.org article I had the impression that moving
a certificate from the trusted root store to the untrusted root store
would disable the cert and prevent Windows from autoretrieving it since
it was already in the cert store in the untrusted section.
I tested this on a Windows XP Pro laptop. There were 310 certs in the
trusted root certificate store. I moved all of them to the untrusted
store. I also exported the 3rd party certificates (7 of them) to back
them up, and then deleted them from the 3rd party store. Then I went to
https://www.amazon.com. The page opened with a good lock and a good
certificate. This can’t be I thought. I went back to certmgr which was
still open and it showed no root certificates, yet the certificate path
was still good. VeriSign (Class 3 Public Primary Certification Authority
G2 –> VeriSign Class 3 Secure Server CA – G2 –> http://www.amazon.com. I
closed certmgr and reopened it and behold, in the truster root store
were two VeriSign certificates. It seems that moving the certificates to
the untrusted store is NOT enought to stop windows (XP) from retrieving
certificates into the trusted root store!
So in XP (contrary to the netsekure blog) it seems that if one has the
same certificate in both the untrusted cert store and the trusted root
cert store, the trusted root cert store rules.
The two VeriSign certs were also added to the Trusted 3rd party cert
store. Because of this, instead of simply deleting those certs from the
3rd party store, I moved them to the untrusted store. Again I closed IE
and then went back to https://www.amazon.com. The same behavior
resulted. The VeriSign certs were added back to the Trusted Root Cert
store and the Trusted 3rd party store. IE had a good lock on
http://www.amazon.com. I am getting quite different results than those stated
on netsekure.
I don’t know if this is how Vista or Win 7 will behave
April 16th, 2010 at 05:46
Ronald,
All the testing I’ve done is on Win7 and things work fine. I believe the same will work for Vista. I don’t have XP around to test it out. If I happen to find XP somewhere to test with, I will let you know how it goes.
Thanks
April 16th, 2010 at 23:29
Ronald,
This is Great information. I am posting this in my own blog. Thanks for the great information posted.
April 19th, 2010 at 09:51
I heard about your site on Security Now and came to visit. Great post, and right after I’m finished writing this I’m going to take your advice on how to disable the root certificates.
Thanks for the help.
September 2nd, 2011 at 07:02
Just dropped in by chance. Just to make clear the handling of trusted root CAs in Firefox: http://support.mozilla.com/en-US/questions/756728 explains that “Root certificates are stored in the file nssckbi.dll and if you’ve disabled build-in root certificates then it is possible that they get re-enabled. (…) The only way to delete root certificates would be to compile your own version of the file that stores them (nssckbi.dll).”
Thanks
September 2nd, 2011 at 10:11
Actually, you don’t need to delete them, rather you need to “untrust” them. Firefox has updated their UI to be more clear about it and now the button is “Delete or Distrust”, which is more indicative of what is really happening. You really don’t need to compile your own dll, you have higher chance of messing things up that way. Just go ahead and use the Distrust button or do it manually as I did when this functionality was not there.