Home / ubuntu / Questions / 1129300
In Process
Pablo Bianchi
Asked: 2019-03-28 20:12:30 +0800 CST

List and remove unofficially installed CA certificates

  • 772

This article expose how around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper states:

To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].

Is pretty common on companies, desktop antivirus and malware/adware to add a root CA. Sometimes even with honest reasons. But to make the situation more clear: SSL web browsing is exactly as strong as the weakest CA (this includes DNS, if DNS-over-HTTPS).

I want to check if my HTTPS traffic is intercepted at least in three aspects (better if just with CLI):

So the real questions are:

  • How to list unofficially installed CA certificates (doesn't come with Ubuntu/Firefox/Chrome) to avoid MITM attacks/HTTPS interception?
  • How to reset trusted certificates stores to its default?

Some research and related questions

  • checkmyhttps seems old and not trustworthy

  • Chrome: chrome://settings/certificates.
    This is a subset of what return some of these commands?

    # System wide (I)
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

# System wide (II) (`p11-kit` package)
trust list

  • Firefox

    certutil -L -d ~/.mozilla/firefox/*.default*/

  • I already sudo update-ca-certificates -v -f. This just updates without removing any sneaky already installed certificate?

Reference

security google-chrome ssl privacy certificates

1 Answers

  1. dpkg -S somefile will tell you what package somefile belongs to. You can use dpkg --verify pkgname or debsums to see if they have been modified.

    You can use those to verify /etc/ca-certificates.conf and the directories it refers to -- basically, verify that CA files belong ca-certificates + dpkg-reconfigure -plow ca-certificates to chose among them. As you may have guessed, update-ca-certificates uses this data to recreate the global CA store files.

    I don't have an easy answer for app-specific stores like Chrome's and Firefox's. You'd basically start by looking for global configuration directories, if any (dpkg -L), and then look into each user profile to see if custom CAs have been installed in that profile: look at the files, diff with a new one, check if the account is corporate-managed, ... StackOverflow or SuperUser can help more directly.

    Obligatory note: installing packages from untrusted third parties can mess up the system in many ways (running any untrusted script, really). I think yours is still a fair question, since benign software sometimes adds a CA and won't try to hide the fact. However, if you suspect someone might have modified your system behind your back, it's far safer to reinstall.

    • 0