You can also use certutil to grab all the trusted root certificates from the Windows Update server:
certutil -generateSSTFromWU roots.sst
Then open roots.sst (which defaults to viewing in certmgr) and it will show the whole lot. Or use certutil -syncWithWU to get all the certs individually.
Alternatively: download http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... [1], extract the authroot.stl file (which is in PKCS#7 format), use 'certutil -dump' to list all the subject key identifiers therein, and then download them from the same location as authrootstl.cab by appending ".crt" to the identifier.
Windows is not lying about anything, you just need to look in the right place.
Also, if you want to examine the CTL list that Windows is currently using - which should be identical to the one above unless it's brand new or there has been a problem downloading it - this will extract it from the registry:
Then use 'certinfo -dump' or whatever you like, it's exactly the same format as the downloaded authroot.stl. This is the same registry data that the OP's CTLInfo tool examines.
The bigger takeaway from this is with a system like this (fully managed by Windows Updates).. how can you remove certificates you don't trust?
Latest documentation for this seems to be for IE 5. I sure as hell like to run dkpkg-reconfigure ca-certificates every once in a while after some roots get compromised and don't trust Microsoft to be on the ball.
2. Open certmgr and import it into 'Untrusted Certificates'.
(This just adds it for the current user's store. Could also import into the computer store by running mmc, adding the Certificates snap-in, and specifying 'Computer account' as the target.)
Hmm, I think it's a very elegant design, probably built to precisely address the problem you asked about. Update server manages whitelist, user/admin manages blacklist, which wins. Nice!
I think the idea the parent is trying to express is that if the Linux distro (and OS X in this situation) comes with the root certificate trusted by default via ca_root_nss/ca-bundle or whatever the packager decides to name it they can disable it before even connecting to the internet, and if the certificate is not trusted by default then they don't need to worry about it magically getting trusted in the future outside of the simple fact of updating the root certificate store blindly without inspecting it.
Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.
That seems reasonable : CNNIC compromised themselves and were removed from Mozilla and Android root cert stores, Microsoft's root cert store still trusts CNNIC.
e-Guven was never compromised, it just still uses outdated practices like issuing directly from the root and expires in 2017 anyway. I once even caught an 1024-bit DSA cert being issued from this root by mistake.
One feature of Windows is defaulting to not showing messy complexity to the user. The other feature is defaulting to backward compatibility. Combined, this means that Windows often has more than two data stores for some aggregate feature [e.g. web browser security, software configuration etc.] as new versions of Windows implement these features in more robust ways.
So yeah there are two or more places where certificates are stored. Typical users only care about the abstraction of web security so that's what Windows surfaces. Application developers should choose the new store for new applications. Existing applications can use the old method. System administrators and security consultants should make themselves familiar with all the documentation and double their rates.
Bloggers, however, are still free to write linkbait headlines using the Windows bashing meme.
The problem with your argument is that this is an administrative GUI that isn't even normally presented to end users unless you search for it or know how MMC snap-ins work. It is a power-user interface by all measure.
And while Microsoft does simplify UIs for end users, they don't typically do the same for administrative content (just look at anything in the Admin Tools, or MMC snap-ins, no sugar coating there).
Your argument about backwards compatibility is at best confusing. What does the data stores utilised have to do with UI representations of the same? I can name numerous examples where things changed behind the scenes and the UI was just updated to support it (e.g. Disk Manager now supports ESP, and exFat, same UI, ConHost now supports Powershell, same UI, Defrag now supports Trim for SSDs, same UI, etc).
> So yeah there are two or more places where certificates are stored. Typical users only care about the abstraction of web security so that's what Windows surfaces.
No, it doesn't. As the blogpost clearly shows it doesn't "surface" all root CAs usable by websites.
> Application developers should choose the new store for new applications. Existing applications can use the old method.
Huh? What do application developers have to do with this? I don't see the connection. This isn't talking about the custom root CAs you may install, it is talking about Microsoft's list of preinstalled ones.
> System administrators and security consultants should make themselves familiar with all the documentation and double their rates.
Please link to the documentation about this on Microsoft's site.
> Bloggers, however, are still free to write linkbait headlines using the Windows bashing meme.
Aside from the word "lying" (which is emotive), the title is largely accurate. Windows does mislead about installed trusted root CAs. And nothing you've said in this apologist answer has come close to addressing that, you're just dancing around it.
While I agree that UnoriginalGuy's post could have been phrased in a more neutral manner, the post he was replying to referred to the article as "linkbait" based on a "Windows bashing meme." Is that a neutral phrasing? Given that the article was revealing new information to most of the people here, I strongly disagree that the article is "linkbait."
I think you are personalizing the debate in exactly the way you are supposedly trying to avoid. Let's debate the facts, not hurt feelings. Nobody has been rude here (at least in the few posts I read). There is nothing wrong with calling someone an apologist, as long as it is done in a respectful way and not just to get a rise out of someone. We don't need to shrink the space for debate here any more than it already has been.
How could that word possibly set you off? It's a common word in the English language, and couldn't possibly be offensive by any stretch of the word.
> a person who offers an argument in defense of something controversial.
Is it just me, or are the majority of online communities that I visit becoming overrun with people that get offended by the slightest amount of bold or confrontational behavior?
There really aren't many respectful ways to call someone an apologist or saying someone writes linkbaits. There is the Windows bashing meme (I, personally, don't like Windows very much) but this article has shown an interesting fact about Windows management UIs that, probably, Microsoft should rework a bit. And then there are the triggers brudgers and tptacek mentioned. We are human and fallible and we should keep that in mind as much as humanly possible.
The "linkbait" comment reflects one of my triggers and the way in which writing on mobile may correlate with lower quality output on my part. As original posted the line had both "linkbait" and "amateur hour". If I'd been sitting at a keyboard rather than touch screen, I might have have written something more constructive. The rhythm is better, editing is easier, and input is not so painful that I am looking for an ending after a couple of paragraphs.
Objectively speaking, there is pretty strong evidence to support a belief that a "Windows bashing meme" exists to the extent that any meme can exist. Apple spent most of a decade and several billion dollars on buying over the air advertising for it's "I'm a PC campaign"; it's so socially acceptable to bash Windows that PG hisself engaged in it for many years; and a lynchpin of Silicon Valley mythology is NetScape got hosed even though it unicorn exited at about $10 Billion, Marc Andreesen's minority stake was enough to make him a VC and Jim Clark bought a gridiron football field length yacht.
It's not that I'm opposed to over-enthusiastic headlines, well written headlines should capture the reader's attention to the point that they click. What makes it "linkbait" to me is that it panders toward confirmation bias rather than encouraging curiosity: it's us-versus-them tech gossip of the sort that tends not to make people smarter. I often wonder about unicorns not seen because of YC's historical attitude toward Windows [e.g. the days when a tock processor announcement for the mid-year Macbook dominated the HN frontpage for a day or two].
As to the other topic, one form low quality HN comments [1] take is what I call "the internet pick apart". Break a post down into many sound-bites. Cast each into an unfavorable context. Then arbitrarily argue against each sound bite. The goal is to broaden the flame war across many fronts without creating a concentrated target for coherent rebuttal. The pattern is to apply it recursively to each of successive defence by the victim. The sport is to keep the target spinning [there are extra points for reintroducing sound-bites from higher in the thread].
That said, a comment that literally begins with the string "The problem with you" probably isn't intended to produce constructive dialog. Pig lipsticking it with "r argument" doesn't change the purpose. Credit where credit is due, at least the comment works its way up to the pick apart rather than down to the problem with me.
Anyway, whenever I find myself writing or saying "you" in a conversation I try to stop and try to rephrase. It's loaded. When I read comments that use "you" it's usually the rest of the internet seeping into HN. The exception is things like "You can safely assume that I didn't write this on mobile."
[1]: On the other hand, the internet pick apart and other forms of flaming and trolling and pointless arguing constitute some of the highest quality writing on the internet in general. Trolling and flaming are successful because they are writing for an audience and for entertainment and for the shear joy of writing...or at least it was for me.
> And nothing you've said in this apologist answer has come close to addressing that, you're just dancing around it.
I said the answer was apologist, not the individual.
I myself post apologist answers all the time (justifications for controversial positions), but I don't consider myself an apologist broadly speaking. I also don't presume that the above poster is an "apologist" even if I do consider this singular post "apologist" in nature.
"Apologist" is a word for a person. Perhaps you were looking for "apologetic"? (Though given that an apologist is someone who practices apologetics, it still seems like a hazy distinction.)
In English, nouns can be used as adjectives. e.g. School bus, ticket office, computer mouse, apologist answer.
"Apologetic" has connotations of regret. I think this confusion might lead some people to take "apologist" as a derogatory or inflammatory word, when it shouldn't be.
When you use a noun referring to a person to modify another noun, it will generally be taken to mean "belonging or related to such a person." For example, "school teacher salaries" means salaries belonging to school teachers. Similarly, the phrase "apologist comment" naturally reads as "a comment belonging to an apologist."
And I don't think it's the connotations of regret that lend the term "apologist" its negative connotations. The negative connotation of that word is the implication that you are bound and determined to defend some position and will not be moved — stemming from its roots of defending literal dogma. People take it to mean a sort of closed-minded, blind tribalism.
At any rate, if you don't trust your audience to read "apologetic" in the proper sense, I certainly wouldn't hold out much hope for a neutral reading of "apologist."
It may have an objective definition but I don't think I've ever heard it used in a way that didn't have a connotation like this from chc:
"The negative connotation of that word is the implication that you are bound and determined to defend some position and will not be moved — stemming from its roots of defending literal dogma. People take it to mean a sort of closed-minded, blind tribalism."
The dictionary definition of apologist is "a person who offers an argument in defense of something controversial", and is usually used in such contexts as "hitler apologists" or the like. From there stems tptacek's reaction to someone using the term in a way that implies disparagement.
I'm not a web developer, I am not intimately familiar with the intricate details of SSL, and yet I understand what a root store is and how it works. I have used certmgr.msc in the past, understanding that it should show me the certificates trusted by the system -- no more, no less. I did not immediately realize that it was not showing me all the certs my system trusts and I would like to know how I could have immediately realized that without knowing all the major CA's and the names of their root certs off the back of my hand.
Perhaps that could be written off as my failing in not knowing what certmgr.msc "should do", but Windows certainly does not make it very clear and I think it's reasonable for an average power user to assume that it shows all the trusted certs on the system, and not part.
its more than reasonable. you would have to not only know what certmgr is and what it does, but also what it SHOULD be doing in order to know it wasent doing it.
that would require specific knowledge about the CA ecosystem and who is trusted. hardly anyone knows that.
Windows isn't lying. Microsoft openly lists what certificates Windows includes on their site. The fact the root certificate store on your machine only lists certificates it actually contains is to be expected.
Yep, they release a periodical PDF with interim updates [1]. Only the most lazy "security researcher" would believe that Windows only trusts two dozen root certificates.
But there's a difference between looking at the list of root certificates that Microsoft say Windows trusts and looking at the list of root certificates that Windows trusts.
> So roots are dynamically fetched and this is the list of previously fetched roots?
Precisely. Windows comes with a small number of roots pre-installed. I can't remember which they are, I assume it's probably just Microsoft's own, one of which is presumably used to check roots fetched later. When you browse the web with a browser that uses Windows's certificate store, it'll fetch other roots as needed.
Interestingly, this might be a security benefit. If you'd never visited a site using a revoked root, you never had the root in the first place.
What seems to be happening with Windows is that Microsoft is making the machine more a slave of their services with each new release. It's as if they're trying to catch up with Chromebooks, which are totally slaved to Google. Especially since Windows 10 is free with ads. Treating the local certificate store as a cache to the main certificate store at Microsoft HQ is consistent with this.
How difficult it is to hijack the link between the local and remote certificate stores? That's a potential attack surface. It's not hard-coded; it's a registry key (Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate). The default URL is "ctldl.windowsupdate.com".
So what protects that domain from being hijacked via DNS poisoning? It ought to have a valid SSL cert, right? Well, no. Go to "https://ctldl.windowsupdate.com/":
ctldl.windowsupdate.com uses an invalid security certificate.
The certificate is only valid for the following names:
a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net,
*.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
Uh oh. Am I missing something, or are root certs downloaded over an unsecured channel?
They are transmitted over an unencrypted channel, but the CTL files themselves (authroot.stl and disallowedcert.stl) are signed by Microsoft so it's fine. Any modification in transit can be detected and presumably will cause them not to be updated.
It would be interesting to try. There's a sequence number in the CTL which could prevent this type of attack, but I don't know if it's actually checked against that which is currently stored.
Which can also be seen in the fact that the general consensus on startup-news is often the opposite of what the actual hackers, for example those who are in the CCC, think.
Comparing Google Docs to MS Office oh god.
I mean i always found Google Docs and Word Online aweful, mostly I need Docs Offline. There aren't many times where I need them only or need Collaboration and even for that there would be lots of Toolings.
Libre Office should be compared and if you are a Office 2003 User you wouldn't have a hard time to go to LibreOfice.
Also on Mac LibreOffice is really really lightweight compared to MS Office. Okai there are two things missing, which are used a lot. One is Excels preinstalled Table formats (on LibreOffice you need to define all of them by yourself, so no quick design). And second you can't easily migrate Mail Merge Docs from Office to LibreOffice.
I'm nearly the opposite.. I uninstalled my office 360 version from work when I left the job (validation failed anyway) and only used it for outlook for work anyhow... that said, I needed to update my resume. For that I have Libre Office... that's about all I use it for.
For me, google docs works well enough... I use the sheets more than the docs actually, as I keep track of my current bills with it. All of that said, there are a lot of tiny features in MS Office that LO doesn't have.... I don't need them, that doesn't mean that nobody does. I know plenty of people that can't give up their use of excel or word in favor of LO.
I also would love to see a fully free/open solution that works as well as Exchange+Outlook ... I've seen lots of alternatives and options, none are nearly as clean or well integrated. And for that matter, most are a bitch to setup/maintain on the server-side of things, or simply aren't actually free, there's usually a critical "plugin" that's only available with a support contract.
It really depends on what you are doing. If it's formatting documents for printing, you're right. If, however, you want a document all 30 participants in a group can collaboratively edit, Google is the way to go. I've used it for ad-hoc voting on group issues (every voter would add a character to the list item they favored) and it held well up to 50 people.
What is "better" about MS word than google docs? The only reason I see to use word is if you're using files from 1999 that don't work anywhere else.
Google docs is a much simpler system, especially for places like schools because of the "cloud" nature of it. Google docs has all the features the average person needs.
MSWord is for specialty cases, google docs and the open alternatives are for everyone else.
I'm about to earn a masters degree and I've never needed to use MS word. Double spacing, page numbers, and aligning text work in just about every processor. I've rarely received a word document from a professor that used advanced features of word, they're always poorly formatted.
It's true that the average user uses maybe 20% of Word's features, and Google Docs have 50% of them. The problem is that each person uses a different 20%.
One feature I personally needed and missed was to generate a table of contents with page numbers for each heading. I ended up exporting the doc to Word to do it, and in the process discovered that the exported document had a messed up layout in a few places.
Yeah this is a super common experience among people I talk to. For me, it was not wanting any headers or page numbers on my title page. (I ended up making two separate documents to get around it)
Google Docs isn't even in the same league as MS Office. GDocs is basically slow, web-running (I mean that as an insult), glorified Markdown editor that saves your data in an unknown format somewhere you can't access directly.
About the "features average person needs" remember that users adapt their workflows to the featuers you give them and make do, not the other way around. Give them more, they'll use more.
If somebody out there has a reliable way to measure resource consumption in Windows (Mark Russinovich?), I'd be interested in a comparison between (say) a thousand word document in Word and the same document in Google Docs in Chrome.
I think you could probably add "resource hungry" to your description of GDocs....
It chops off a solid 30-45 minutes of battery life on my laptop, in Safari (to say nothing of Chrome, at which point it becomes a campfire on my lap), so yeah, I think so.
In my experience, Docs can't even reliably align the cursor with the position between characters (problem described here[1], except my zoom is at 100% already).
Thankfully all my documents have very light formatting, so I can just write in Vim and then upload them.
I get this as well, and I have another problem. I usually work in Word but one company wants things in Google Docs. OK, I create the document in Word in Times Roman and paste it into Google Docs.... which converts it into Arial.
If I copy something else from the same Word document into the same Google Doc, then Google keeps it in Times. How does that work?
Sorry if I'm being thick, but I'm using the same clipboard to paste between the same two documents, so I still don't see why GDocs should interpret them differently....
I can try clearing the clipboard between pastes: would that make a difference?
Any sort of styling control: if there's a particular style I want applied to certain portions, I have to recreate it at each use. God help me if I decide to change it halfway through the document.
Orphaning of content: GDocs will very happily strand a section header at the bottom of a page, dropping a page break right between the header and the content.
The cursor will occasionally just go where it pleases.
Revision history (compared to diffing git commits) is incredibly frustrating. Click on a revision, read the whole doc, repeat…
The past several printers I've had... I just had to open the add printer dialog (which is more of a pain than it should be) and it would just detect the printer.. this is from win7 through 10.
Now getting a new printer (new hardware) installed in Linux isn't usually so easy.. unless you're using a fairly mainstream HP Laser printer, which is actually what I recommend because it's so straight forward. Outside of that it's almost always a pain. My current printer is rigged up and connected to print from my phone from anywhere, I have it setup for remote printing via Chrome... which is kind of nice, ordering something, or paying a bill on a break at work and being able to print at home.
Unless you're using a really off brand, I haven't had trouble installing on windows via the add printer... it may take a while to download a full device list for printers, which aren't pre-installed, but that's time not difficulty.
I've an epson wifi printer and every time it gets a different ip windows can't find it anymore.
I used to have it on a dns reserved ip but damned new telco router doesn't have that option since I upgrades to fiber.
Every time the epson setup wants to restart the whole computer to start the detection and it is so annoying, I just let any other airprint device do the thing.
With linux I usually just plug it in then hit print in the application. Then it prints... I've never run into a consumer model that needed installing in any way. I may just have been lucky.
Because senior management forces workers to use it.
I'm a scientist who analyzes large data sets. I also need to communicate to my co-workers. I need a secure operating system without a lot of eye-candy that makes it look like a tablet and lets me give priority to my data analysis tasks. Windows is not it, but I have to use it.
But you can use things like Excel easily in a VM. Not pull your hair out hard, but easily. Then you can parse Excel or Word with Python in Linux easily.
I just don't get how we still allow closed source operating systems for critical business tasks.
Try deploying and a different OS with easily understandable UI. Make it easy so that companies can issue laptops and upon first login the machines are appropriately imaged per the user needs. Make sure that strong user limits are in place to prevent users from running bitcoin-mining/porn-servers/or-worse on corporate machines and then and only then, you may have a shot at disrupting the Windows enterprise stronghold.
If you were to poll corporate user income and their provided OS, you will likely find that 99% of workers earning low wages (i.e. not trusted by their companies) are provided windows, the more someone earns the more likely they are to have a choice in OS from their employer--just my hypothesis.
I just don't get how we still allow closed source operating systems for critical business tasks.
Maybe I'm a bit behind the times, but some collection of VM, MVS, OS/390 aka zOS, CICS, IMS, DB2, RACF, SNA, Oracle, SAP etc etc is probably running the majority of America's critical business tasks. Did it all get open sourced when I wasn't looking?
Needless to say, Google Docs and Gmail are not open source either....
For fun, to illustrate that it can't be trusted, because what you want to use isn't available for the alternatives. First few reasons that spring to mind.
Alternatively: download http://ctldl.windowsupdate.com/msdownload/update/v3/static/t... [1], extract the authroot.stl file (which is in PKCS#7 format), use 'certutil -dump' to list all the subject key identifiers therein, and then download them from the same location as authrootstl.cab by appending ".crt" to the identifier.
Windows is not lying about anything, you just need to look in the right place.
Also, if you want to examine the CTL list that Windows is currently using - which should be identical to the one above unless it's brand new or there has been a problem downloading it - this will extract it from the registry:
Then use 'certinfo -dump' or whatever you like, it's exactly the same format as the downloaded authroot.stl. This is the same registry data that the OP's CTLInfo tool examines.[1] as specified in https://support.microsoft.com/en-us/kb/2677070