Equifax Certificate Unravelling Security on Windows 10 OS
leeneubecker.comI fail to see the security issue here, the Equifax certificate in question (thumbprint: d23209ad23d314232174e40d7f9d62139786633a) has been revoked (on Windows 10 at least) - it is in the system store to protect users by being marked as revoked and thereby marking all child certificates and signatures as invalid.
I strongly suspect all the other listed certificates are also marked as revoked but I couldn't be bothered wasting my time checking.
Having checked, 2 out of 4 are currently revoked.
Equifax and Thawte Premium Server CA.
Unless I'm misreading this, the "vulnerability" is 4 certs deployed on machines with deprecated hashing algorigthms.
The steps the author takes from that to "this could allow your machine to be compromised" are.... well tenuous at best. The idea that just because a certificate is present, an attacker will easily be able to use that to sign malware and bypass anti-malware protections as a result doesn't appear supported by the evidence presented.
Moreover the hash algorithm doesn't matter for the root cert, because the system has a trusted copy of the certificate in its root cert store and doesn't need to check any signatures on the root itself.
I completely agree with you. This article is nothing but pandering for notability by publishing something that attempts to scare the reader.
I'm all for pushing O.S and Browser vendors to remove many of the trusted certs in the root store...but this is just silly and frustrating.
Articles like this make the security industry lose credibility.
This is nonsense. The self-signature on a root certificate is irrelevant unless you can easily calculate second pre-images, and that's not true even of MD5, and accepting a root doesn't mean that the validator would accept that hash function on a non-root.
Equifax is only a 1024-bit RSA key, which isn't ideal, but it expires on Aug 22nd this year and the key-size of the root doesn't impact confidentiality.