Blog | G5 Cyber Security

Stop Browsers Adding Root Certificates

G5 Cyber Security

TL;DR

Browsers like Chrome, Firefox and Edge can automatically add their own trusted root certificates to your Windows system. This is usually done for features like certificate transparency or managing extensions, but it can be a security risk if malware compromises the browser. Here’s how to control this behaviour.

Solution Guide

  1. Understand the Problem: Browsers maintain their own trust stores (lists of trusted certificates) separate from the Windows root store. They can add new certificates without your explicit permission, potentially weakening your system’s security if a browser is compromised.
  2. Check Current Browser Settings (Chrome):
    • Open Chrome and go to chrome://settings/certificates.
    • Look for the ‘Manage Certificates’ button at the bottom of the page. This opens the Windows Certificate Manager, but it won’t show you certificates *only* added by Chrome.
    • Chrome doesn’t have a direct toggle to disable root certificate addition. The next steps focus on preventing this through Group Policy or registry edits.
  3. Check Current Browser Settings (Firefox):
    • Open Firefox and go to about:config in the address bar. Accept the risk warning!
    • Search for security.root_certs.auto_import.
    • If it’s set to true, double-click it to change it to false. This prevents Firefox from automatically adding root certificates.
  4. Check Current Browser Settings (Edge):
    • Open Edge and go to edge://settings/certificates.
    • Similar to Chrome, this opens the Windows Certificate Manager but doesn’t show browser-specific certificates.
    • Like Chrome, control is best achieved via Group Policy or registry edits (see below).
  5. Using Group Policy (Recommended for Pro/Enterprise Editions):
    • Press Win + R, type gpedit.msc and press Enter to open the Local Group Policy Editor.
    • Navigate to: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Certificate Services (Note: This applies settings to all browsers using the underlying Windows certificate store).
    • Double-click ‘Do not allow trusted root certificates from non-Microsoft sources’.
    • Select ‘Enabled’ and click ‘Apply’, then ‘OK’. Warning: this will prevent *all* non-Microsoft root certificates being added, which may break some websites. Use with caution!
  6. Using the Registry (Advanced Users Only):
    • Press Win + R, type regedit and press Enter to open the Registry Editor.
    • Navigate to: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet ExplorerCertificateServices. If the keys don’t exist, you may need to create them.
    • Create a new DWORD (32-bit) Value named DisableRootAutoUpdate and set its value to 1. This prevents automatic updates of root certificates from Microsoft’s CRLs. It doesn’t stop browsers adding their own, but it limits the Windows store changes.
    • Navigate to: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet ExplorerMain.
    • Create a new DWORD (32-bit) Value named WarnOnRootCertificateAddition and set its value to 1. This will show a warning when any root certificate is added, giving you a chance to cancel it.
  7. Monitor Certificate Changes:
    • Open the Windows Certificate Manager (search for ‘Manage computer certificates’).
    • Expand ‘Trusted Root Certification Authorities’ and check for unexpected or unknown certificates.
    • Regularly review the list, especially after browser updates.
  8. Consider a Cybersecurity Solution: A good cybersecurity suite will often monitor certificate changes and alert you to suspicious activity.
Exit mobile version