Certification Authorities with browser ubiquity of 99.3% are best in Industry.

Certification Authorities with browser ubiquity of 99.3% are best in Industry.

The Certifying Authority (CA) is a third-party organization that issues digital certificates and manages the public Certificate Revocation List (CRL). The CA certificate is signed and digitally protected by a trusted root certificate, which is issued by an authority within the public key infrastructure of the SSL/TLS/DTLS stack. For many years, Microsoft's Windows was using VeriSign and Thawte to issue its CAs until Microsoft decided on their own self-signed Root CA Certificate for Windows 10 Anniversary Update.

This makes it possible to create a self-signed certificate and use it with the current versions of browsers. This self-signed certificate is itself verifiable by the root CA, and thus the trusted chain can be extended to arbitrary intermediate certificates. In some cases, this verification function may be more secure than an original CA's signature. Nevertheless, while Microsoft's root CA was superior in terms of chain consistency, the self-signed certificate was better in terms of user experience: it only took one mouse click to complete the process for all users. Nevertheless, this change made more practical sense for Chrome (Google) and Mozilla Firefox (Mozilla Foundation).

In addition, this change was in response to an announcement by the NSA that it had broken the security of all CAs mentioned above. A complete list of affected root CAs (and their affected clients) is available from the InfoQ article .

Authenticode was introduced as part of Windows in 1996 with Windows 95. It is a digital signature technology used to digitally sign applications and other files, thus ensuring that these files have not been modified since their creation. To use Authenticode on an application or DLL, a new certificate must first be generated for the application by a trusted Certificate Authority (CA). This process can be done by either Microsoft's own Certificate Services or another CA-provided certificate authority. For this purpose, the certificate is published to the "Trusted Root Certification Authorities" list. In Windows 10, in addition to VeriSign and Thawte, Microsoft uses a self-signed certificate (installed on user's computers in response to a specific click for all users). However, the problem with this method is that the verification of Authenticode execution itself can be performed by any computer that has access to the same lists of trusted CAs.

A root CA is a certification authority which issues digital certificates. This explicit trust by the user implies that there is no client software available that can use an unsigned root cert as intermediate certificate for further verification. To overcome this problem, Microsoft has used a new mechanism called Self Root Certification Authority which is basically a self-signed certificate installed on user's computers in response to a specific click.

The main issue with this method is that the verification of Authenticode execution itself can be performed by any computer that has access to the same lists of trusted CAs.

This new model has obvious usability advantages:

This shift requires an adjustment of users' behaviour, which can be hard to achieve and for some users even hard to understand.

Conclusion:

The Microsoft's browser root CA experiment included two main goals: the need of changing the CA infrastructure in order to protect users and creating a new generation of browsers with better usability. The first goal was accomplished because the whole ecosystem has been changed and it is now more secure than ever, but this is not true for the second goal. In fact, this experimentation caused a lot of usability issues and functional regressions that have been finally fixed in Windows 10 Creators Update.