RCC - check your system's trusted root certificate store

Could you elaborate on what you mean by that? No signature check of nssckbi.dll being triggered? No sanity checks on cert8.db to detect corruption? Something else?

 

Quite interesting what it has found:

 

svenfaw, any plans to allow checking a non-booted system when run from another active system like WinPE?

 

Known issue:
Make sure that Firefox is closed before running RCC - otherwise it will incorrectly give a clean report all the time. I will address this in the next build.

I can't review and respond to all comments now due to lack of time, but will try to do so later this week.

 

@RJK3:
RE Palemoon: I'll have a look, but it should be feasible! Added to to-do list.
RE hashes: The OP is not editable anymore. This is another reason why I should get my act together and give RCC its own little web page.

@Tarnak: Fixed in next build, thanks for reporting this!

@TheWindBringeth: Yes, I mean that nssckbi.dll can be tampered / patched with malicious root certs and Firefox will still happily load it, whether the digital signature is valid or not. I reported this to Mozilla, but haven't heard back from them so far.

@Adric: I will consider this later, as time permits.

 

Thank you for the clarification. I don't recall a previous report of that particular issue, but other reports and personal experiences were enough to prepare me to not be surprised by this.

A script launched/processed sigcheck -q -e -s -c of the Firefox programs folder adds a trivial delay to Firefox startup on my systems. I haven't yet looked into script driven use of your tool, but I intend to

 

Cheers

 

Just wondering, what are some other tools out there that scan root certificates for malicious items? Which of the big boys (BitDefender, McAfee, Symantec, etc) do it?

 

• OK, I could finally update the SHA256 hash in the OP
• Build 157 is the first build with ASLR and DEP enabled.

 

I am not sure what you mean... As mentioned previously, I had run it on my XP system, but I don't think I was supposed to.

Are, you saying it is OK, now... I can run this?

 

No, sorry, XP is not currently supported. What I did is fix the inconsistent behavior.

 

RCC [build 161] has been updated to remove CNNIC from its internal signature DB, following Google's announcement and strong clues that Mozilla and MS are about to follow suit.

http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html

 

That is what I thought...Thanks for the clarification.

 

ghacks review....

http://www.ghacks.net/2015/04/05/scan-your-windows-computer-for-untrusted-root-certificates/

 

Windows Club review...Pleased to see this very useful utility is getting noticed!

http://www.thewindowsclub.com/rcc-scan-windows-root-certificates-scanner

 

Thanks, I wasn't aware of that second review.

I'd like to work on a few more features to make it more powerful, but lack of time and resources might delay things for a while.

 

Balance is better than burnout

Not to encourage the latter, but in case you haven't yet come across it: https://sslbl.abuse.ch/blacklist/. A link itman kindly shared in another thread.

Edit: I've come to question whether any of those are fingerprints you'd expect to see when scanning the certificate stores.

 

I wasn't aware of this, thanks.
However these are regular server certificates (not root).
But if they somehow get forcefully added to the trusted root store (even though it wouldn't make much sense) RCC would still detect them.

 

Svenfaw, great useful app you've made. Thanks.

360TS flagged on it, but I've trusted it. My certificates are clean. Thanks and keep up the good work !

 

A general question, is it correct that this tool still works correctly, even when PowerShell.exe is blocked from executing?

 

Thanks for your feedback, always appreciated! Once a final release is ready, I will report the false positive to Qihoo.

 

Yes, at this time the PowerShell dependency is needed, to get an exhaustive list of system-level trusted root certificates.
It is not used to scan the Firefox store, though.

 

Here's a quick recap of the upcoming feature (wish)list, as it is currently. I'm not saying everything will be implemented, though - that will be heavily dependent on how much more time I can afford to spend on this. Perhaps I should consider turning it into a paid product, to make development sustainable.

• Graphical user interface
• Support for portable Firefox
• Support for Palemoon
• Support for Java cert store
• Automatic signature updates
• Multiple security baselines
• Support for custom signature lists
• Remove PowerShell dependency
• Resident/guard mode
• Information panel
• Recommended action
• Support for Windows XP

Comments / suggestions welcome!

 

Nice little tool!

I don't see any reason to support XP any longer.

Maybe you can add the following to the todo list:
* Release the source on GitHub
* Cyberfox support (already seems to work but it shows Firefox instead of the correct name)
* Ability to store/backup/export the current state and add an import function
* Blacklist should be check against the list if there is already a suspect certificate installed
* Autostart/Scheduler option (command list option) to e.g. check daily/weekly/... if there are updates available
* Re-scan option after an update/new/old certificates are removed
* Donation function/option via a small button (about?) to continue the project
* Re-write the logic that it first detect if any of the Browsers/Java/.. is running instead of run the program and show a failure while xyz is currently running ....

Thanks, keep up your good work.

 

Why ?

XP is always installed on the majority of my computers !