Hacker News new | past | comments | ask | show | jobs | submit login

Windows isn't lying. Microsoft openly lists what certificates Windows includes on their site. The fact the root certificate store on your machine only lists certificates it actually contains is to be expected.

This is just a UI failure.




Yep, they release a periodical PDF with interim updates [1]. Only the most lazy "security researcher" would believe that Windows only trusts two dozen root certificates.

[1]: http://social.technet.microsoft.com/wiki/contents/articles/1...


But there's a difference between looking at the list of root certificates that Microsoft say Windows trusts and looking at the list of root certificates that Windows trusts.


Only if the two lists differ, that would actually be noteworthy. Currently it's just a blatantly clickbait title.


If it changes and you haven't taken the software update yet the lists will differ.


So roots are dynamically fetched and this is the list of previously fetched roots? Or is it a revocation check before first use? Do you have a link?


> So roots are dynamically fetched and this is the list of previously fetched roots?

Precisely. Windows comes with a small number of roots pre-installed. I can't remember which they are, I assume it's probably just Microsoft's own, one of which is presumably used to check roots fetched later. When you browse the web with a browser that uses Windows's certificate store, it'll fetch other roots as needed.

Interestingly, this might be a security benefit. If you'd never visited a site using a revoked root, you never had the root in the first place.


When an American company lies, it's only a UI failure.


Why, specifically, American companies? I've encountered countless companies from other countries that lie.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: