They are transmitted over an unencrypted channel, but the CTL files themselves (... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

geographomics on Aug 30, 2015 | parent | context | favorite | on: Windows Certificate Manager does not display the c...

They are transmitted over an unencrypted channel, but the CTL files themselves (authroot.stl and disallowedcert.stl) are signed by Microsoft so it's fine. Any modification in transit can be detected and presumably will cause them not to be updated.

Animats on Aug 30, 2015 [–]

So an attacker could return an old "disallowedcert.stl" to re-activate a revoked cert?

geographomics on Aug 30, 2015 | [–]

It would be interesting to try. There's a sequence number in the CTL which could prevent this type of attack, but I don't know if it's actually checked against that which is currently stored.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact