Major security flaw in Sennheiser headphone software

sajunky

Honorary Master
Joined
Nov 1, 2010
Messages
13,125
#2
It comes to implanting a root certificate on the host OS in first place. Something it should be prohibited by the OS. And, again, I see a workaround on the Microsoft side instead of addressing source of the issue.
 
Last edited:

Swa

Honorary Master
Joined
May 4, 2012
Messages
19,322
#3
Article is being very vague. Like for instance not saying why these certificates are vulnerable when most browsers come bundled with some certificates they install as well.
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,365
#4
Article is being very vague. Like for instance not saying why these certificates are vulnerable when most browsers come bundled with some certificates they install as well.
What browser installs a root cert?

And its not the certs,it's the how its implemented that opens it up to possible abuse
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
19,322
#6
What browser installs a root cert?

And its not the certs,it's the how its implemented that opens it up to possible abuse
Root certificate is the central certificate that validates all other certificates right? And the answer is practically all of them. It can't work without it.
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,365
#7
And the answer is practically all of them. It can't work without it.
No
You are somewhat confused
In fact
You are very very confused

Root certificates,in the case of Windows,is included in the OS/loaded with windows updates/manually installed unfortunately
There are not a great many of these,because they are the first line and are the top level of a certificate chain. Root certs are trusted above all,as they can sign Intermediate certs and lower
These certificates are inherently trusted by browsers,it's in the trusted store it's legit unless revoked specifically or the browser maker takes steps to ban the certificate itself (Symantec vs world anyone?)
Browsers don't just willy nilly add root certificates

To quote the wikipedia
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in operating systems by their manufacturers. Microsoft distributes root certificates belonging to members of the Microsoft Root Certificate Program to Windows desktops and Windows Phone 8.[2] Apple distributes root certificates belonging to members of its own root program.
Arbitrarily adding your own signing certificate to Root means it becomes trusted for the machine,but since this is not a publicly tracked or verified certificate it can't be verified and trusted the same manner,or revoked. If some bad agents used this certificate to sign their website/software it would then appear legitimate to the browser,and could be used to intercept/replace/sniff traffic to a site of their choice

To add to this,the browser makers probably had to ban this specific thumbprint now(which requires a software update to apply) rather than just Revoking the certificate using the higher level CA Certificate revocation lists
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
19,322
#8
No
You are somewhat confused
In fact
You are very very confused

Root certificates,in the case of Windows,is included in the OS/loaded with windows updates/manually installed unfortunately
There are not a great many of these,because they are the first line and are the top level of a certificate chain. Root certs are trusted above all,as they can sign Intermediate certs and lower
These certificates are inherently trusted by browsers,it's in the trusted store it's legit unless revoked specifically or the browser maker takes steps to ban the certificate itself (Symantec vs world anyone?)
Browsers don't just willy nilly add root certificates

To quote the wikipedia


Arbitrarily adding your own signing certificate to Root means it becomes trusted for the machine,but since this is not a publicly tracked or verified certificate it can't be verified and trusted the same manner,or revoked. If some bad agents used this certificate to sign their website/software it would then appear legitimate to the browser,and could be used to intercept/replace/sniff traffic to a site of their choice

To add to this,the browser makers probably had to ban this specific thumbprint now(which requires a software update to apply) rather than just Revoking the certificate using the higher level CA Certificate revocation lists
Ok then that makes sense. Didn't know it was about machine certificates and not the ones the browser use that comes with it.
 
Top