Major security flaw in Sennheiser headphone software

It comes to implanting a root certificate on the host OS in first place. Something it should be prohibited by the OS. And, again, I see a workaround on the Microsoft side instead of addressing source of the issue.
 
Last edited:
Article is being very vague. Like for instance not saying why these certificates are vulnerable when most browsers come bundled with some certificates they install as well.
 
Article is being very vague. Like for instance not saying why these certificates are vulnerable when most browsers come bundled with some certificates they install as well.
What browser installs a root cert?

And its not the certs,it's the how its implemented that opens it up to possible abuse
 
Agreed. I should highlight a "root certificate" in my initial post, doing now.
 
What browser installs a root cert?

And its not the certs,it's the how its implemented that opens it up to possible abuse
Root certificate is the central certificate that validates all other certificates right? And the answer is practically all of them. It can't work without it.
 
And the answer is practically all of them. It can't work without it.
No
You are somewhat confused
In fact
You are very very confused

Root certificates,in the case of Windows,is included in the OS/loaded with windows updates/manually installed unfortunately
There are not a great many of these,because they are the first line and are the top level of a certificate chain. Root certs are trusted above all,as they can sign Intermediate certs and lower
These certificates are inherently trusted by browsers,it's in the trusted store it's legit unless revoked specifically or the browser maker takes steps to ban the certificate itself (Symantec vs world anyone?)
Browsers don't just willy nilly add root certificates

To quote the wikipedia
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in operating systems by their manufacturers. Microsoft distributes root certificates belonging to members of the Microsoft Root Certificate Program to Windows desktops and Windows Phone 8.[2] Apple distributes root certificates belonging to members of its own root program.

Arbitrarily adding your own signing certificate to Root means it becomes trusted for the machine,but since this is not a publicly tracked or verified certificate it can't be verified and trusted the same manner,or revoked. If some bad agents used this certificate to sign their website/software it would then appear legitimate to the browser,and could be used to intercept/replace/sniff traffic to a site of their choice

To add to this,the browser makers probably had to ban this specific thumbprint now(which requires a software update to apply) rather than just Revoking the certificate using the higher level CA Certificate revocation lists
 
No
You are somewhat confused
In fact
You are very very confused

Root certificates,in the case of Windows,is included in the OS/loaded with windows updates/manually installed unfortunately
There are not a great many of these,because they are the first line and are the top level of a certificate chain. Root certs are trusted above all,as they can sign Intermediate certs and lower
These certificates are inherently trusted by browsers,it's in the trusted store it's legit unless revoked specifically or the browser maker takes steps to ban the certificate itself (Symantec vs world anyone?)
Browsers don't just willy nilly add root certificates

To quote the wikipedia


Arbitrarily adding your own signing certificate to Root means it becomes trusted for the machine,but since this is not a publicly tracked or verified certificate it can't be verified and trusted the same manner,or revoked. If some bad agents used this certificate to sign their website/software it would then appear legitimate to the browser,and could be used to intercept/replace/sniff traffic to a site of their choice

To add to this,the browser makers probably had to ban this specific thumbprint now(which requires a software update to apply) rather than just Revoking the certificate using the higher level CA Certificate revocation lists
Ok then that makes sense. Didn't know it was about machine certificates and not the ones the browser use that comes with it.
 
Top
Sign up to the MyBroadband newsletter
X