Comment by pietervdvn
4 days ago
I'd even count this as "having local access to the device", as that is what is needed to install such a cert
4 days ago
I'd even count this as "having local access to the device", as that is what is needed to install such a cert
I think it's fair to say that requiring local administrative access to the device is out of scope, since you have already completely pwned the device in that case, which is what what you need to install a CA cert on any OSes.
In honor of The Old New Thing I call these “Vogon vulnerabilities”: I have a marvelous exploit in mind that pwns anyone I have root access to
The list of preinstalled CAs is long. I think its a safe bet that many nation-states have covert control over at least one CA on that list. (Or they have one of the root signing certs). HTTPS is way better than HTTP. But I'd personally rather if these random organisations didn't have RCE on my computers.
I've never heard of most of them. AAA Certificate Services? AC RAIZ FNMT-RCM? ACCVRAIZ1? Actalis? AffirmTrust? Even Godaddy is in there. I know I don't trust those guys.
Trust has gotta start somewhere. But its much better to TOFU, then pin signing keys in the updater.