Investigating hidden root certificates in the wild

By on 21 Jan 2022

Category: Tech matters

Tags: , , ,

Blog home

HTTPS serves as a critical infrastructure for web security, protecting the privacy and integrity of communications between networks. An important aspect of the extension is the authentication process, which is powered by Web PKI via digital certificates that are issued by Certificate Authorities (CAs).

In the trust model of Web PKI, only certificates issued by trusted CAs can be authenticated. As a current best security practice, vendors of major operating systems and browsers maintain and preconfigure public lists of a hundred or so trusted CAs, called root stores. Some well-known CAs in public root stores include DigiCert and Verisign.

Venn diagram showing an overview of the hidden root CA ecosystem.
Figure 1 — An overview of the hidden root CA ecosystem.

Unfortunately, despite being preconfigured, no concrete standards or best security practices have been established for managing client-side root stores. This is an issue as various third parties such as government agencies, VPNs or even malware could inject their hidden root certificates that are beyond public view into local root stores.

Furthermore, these hidden roots are not subject to public regulation, such as the Certificate Transparency project and as such may issue leaf certificates arbitrarily and intercept encrypted communication.

Researchers affiliated with Tsinghua University and the University of California, Irvine, recently provided a comprehensive measurement study of these hidden root ecosystems in a paper published at ACM CCS 2021. With the help of a popular browser vendor, they analysed five months of certificate chains and verification statuses of web visits from volunteers to shed light on the widespread and serious security flaws of hidden roots in the wild.

1.17 million hidden root certificates identified

The measurement results demonstrated that client-side local root stores have been extensively manipulated. During the five months, 1.17 million hidden root certificates were identified as being installed into real-world clients.

The impact of hidden root CAs is far-reaching. The captured hidden roots signed leaf certificates for over 1.3 million websites, including high-ranking ones. They were also witnessed in 0.54% of all web connections, affecting 5.07 million clients and putting them at risk of interceptions.

Scatterplot showing scale and impact of hidden root organizations.
Figure 2 — Scale and impact of hidden root organizations.

Owners of hidden roots

We identified 5,005 organizations that operate these root certificates, including government/enterprise agencies and TLS-interception software (for example, packet filters).

Categories # organizations # hidden roots # affected clients Example
Enterprise Self-built 24 48 199,743 (3.94%) CN = SZSE ROOT CA, O = Shenzhen Stock Exchange
Digital Authentication 13 18 539,711 (10.65%) CN = CFCA ACS CA, O = China Financial Certificate Authentication
Government Self-built 13 16 62,032 (1.22%) O = National E-Government Network Administration Center
Fake Authentications 11 817,532 2,798,985 (55.21%) CN = VeriSlgn Class 3 Public Primary Certification Authority - G4
Packet Filter 11 15,587 73,725 (1.45%) CN = NetFilterSDK 2
Proxy/VPN 10 90,131 1,029,648 (20.31%) CN = koolproxy.com, O = KoolProxy inc
Security Software 2 7,187 4,719 (0.09%) O = Beijing SkyGuard Network Technology Co., Ltd
Parent Control 1 7,554 7,787 (0.15%) CN = UniAccessAgentFW 2
Unknown 15 207,957 289,198 (5.07%) CN = VRV NDF RootCA 2

Table 1 — Category of top 100 hidden certificate organizations.

Furthermore, we found a large number (0.8 million in 11 groups) of roots from ‘Fake Authentications’ that impersonated trusted CAs with deceptive subject names. For example, the largest organization held 254,412 hidden roots of ‘Certum Trusted NetWork CA 2’, impersonating Certum CA by replacing the lower-case ‘w’ in the legitimate CA with a capital ‘W’.

Threat intelligence indicates that some of the certificates may originate from malware such as Trojan and Coin Miner.

Implementation flaws

The security properties of hidden roots are of great concern. Unlike rigorously-audited public root CAs, many have serious operational flaws.

We found that potentially 75% of legitimate government and enterprise self-built root issued chains were invalid. This may be due to using weak algorithms, containing irregular certificate content, having an invalid validity period, and/or flawed issuance and management behaviours.

Action required to better manage root certificates 

Considering the widespread and serious impact of hidden roots, various parties involved in Web PKI need to take action to better manage root certificates. Specifically, we recommend that:

  • Operating systems should regulate root store policies to better monitor, log, and audit the modifications, and alert users of risks.
  • Browsers could be extended to identify and block non-compliant hidden roots.
  • Local software using custom root CAs should more carefully configure and manage their CAs.

In the long term, the community should look at more wide-ranging solutions including replacing current trust models with hierarchical authority architecture (for example, separate system root certificates from user root certificates, or using more granular trust levels).

For more details on our study, please refer to the paper ‘Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem’ in the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS).

Yiming Zhang is a PhD student at Tsinghua University, under the supervision of Prof. Haixin Duan.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published.

Top