The following tutorial works on every Windows, from 7 up to 10 so don’t worry if the screenshots looking slightly different but the process is exactly the same. But why should you remove some certificates? Simply to avoid spying or traffic redirects and other certificate frauds.
Why should you remove or mess manually with certificates?
Windows users who use Internet Explorer, Firefox, Edge or Chrome – or basically any program that rely on the Microsoft Certificate Store – could be vulnerable to a miss-issuance from ‘fake’ certificates or the ones which trying to act like a Man-in-the-Middle attack, particularly when using the Internet from within Iran, Thailand, Syria,…
One of the simplest ways of mitigating this vulnerability, is to actively distrust several certificates.
The certificate weaknesses are:
- SHA1, MD5 and MD2 signing algorithms are all deprecated and can easily be forged with today’s consumer grade computing power.
- Key entities listed (Thawte, Symantec/Verisign, & Equifax) have had historical data integrity compromises that have been widely reported.
- There is absolutely no reason why these certificates that are not on Microsoft’s approved list of root certificate trust signing authorities need or should be on any corporate or personal computers.
- Usage of these certificates by any organization would allow for antivirus and other security software to be rendered in effective and a compromise not easily detected by the end users.
The most popular example seems to be the Equifax example.
Why can’t I remove all certificates?
This will cause certificate warnings like those below to appear when it is used. Prohibiting the connection without consent.
The ultimate goal would be to find all certificates which you don’t need and block the rest, since this is based on your location you need to test yourself which certificate is needed and which not. Keep in mind that every OS temporarily download certificates in a ‘invisible’ store which you can’t see or access, however, this won’t bypass certificates you blocked manually. Removing is not really optimal – blocking is in general better.
There are two methods of disabling the certificate in question, either via the Windows Desktop, or via the command line.
Removing the Certificate via the Windows Desktop
Open the Microsoft Management Console (mmc) [Press Windows Key + R and type mmc] alternatively you can bypass this and call the store directly, via certmgr.msc which shows the system-wide certificate store.
Since this isn’t documented I’m not 100% sure if it also automatically ‘blocks’ the certificate, so I suggest you also ‘disable’ (block) the certificate manually.
Removing the Certificate via the Command Line
- Open Command Prompt [Press Windows Key + R] and type cmd and press enter.
- Download the latest certificates from Windows Update, type the following into Command Prompt window:
certutil -syncwithwu %temp%
- Update the certificates in the trust store to reflect those retrieved from Windows update type the following into Command Prompt window:
for /f %i in (‘dir /s/b %temp%\*.crt’) do certutil -verify “%i
- The text should start scrolling up within the Command Prompt window, and the process will take a couple of minutes to return to the prompt.
- Add your certificate to the Disallowed store object, using its SHA1 hash:
certutil -addstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt
How do I find bad certificates?
There two methods, you can search the Internet manually or you use RCC which is a little utility which scans the Windows and Mozilla certificate store against unknown or bad certificates and lists them.
How do I search for the specific hash to find the certificates more quickly?
This allows you to search for the checksums (found by eg. RCC) or via Internet directly and lists the certificate. You can filter the search result how you like. My advice is to block all invalid certificates, the ones which are expired and the ones which you not need in order to block other authorities to possible sniff on your traffic.
It should be mentioned that every Browser and Windows itself checking automatically their certificates and there is some blacklist mechanism which gets regularly checked, however this is mostly not quite accurate since it’s depending if Mozilla, Google or Microsoft need to decide to remove or block the certificate or not. Typically Windows by itself checks every 24 hours once if there new certificates or blocked ones, however some ‘smart’ people disabling smartscreen and blocking explorer.exe & svchost.exe with a firewall, this is not recommend otherwise the list never gets updated automatically in the background.
Blocking certificates is a good thing, especially if you care about your privacy. It’s not so complicated to monitor with mentioned tools and simply keep track of it here and then and you stay secure – without any AV. The Browser and the OS already have some mechanism to block certificate frauds but it doesn’t work always and you should regularly check if there are some unwanted certificates in your storeto ensure nothing compromised you.