'Root IQ' review that can streamline and increase security of too many root certificates in Windows for free
Many people have seen warnings such as 'This website may not be safe' when surfing the internet with a browser. One of the reasons why the warning is displayed is that 'the website uses an untrusted certificate', but which certificate is trusted depends on the platform and device. With RootIQ, a free software for Windows, you can easily reduce the number of trusted certificates and improve the security of Windows, which trusts a large number of certificates by default.
You don't need all those root certificates – – Writeups and random thoughts.
As a mechanism for websites on the Internet to prove their legitimacy, it is common to have a certificate authority issue an SSL certificate and the client side to perform verification based on that certificate. However, this method requires not only the legitimacy of the website but also the legitimacy of the certificate authority itself that issued the certificate. A chain in which a higher-level certificate authority issues an SSL certificate to prove the validity of the certificate authority is called a 'trust chain', and the root certificate is located at the top of this chain.
Root certificates are issued by the world's leading and trusted certificate authorities and government agencies. If you trust the root certificate in advance with the OS or browser and confirm the validity of the 'root certificate that you finally arrived at by following the chain of certificates', the overall validity will be guaranteed.
Hexatoms, who provides information on cybersecurity, points out that the root certificate 'has a great deal of power over the Internet.' The more root certificates you trust on your device, the more websites and services you consider legitimate, so limiting the number of root certificates makes sense from a security standpoint.
The number of trusted certificates varies by platform and device, and at the time of writing, Windows trusts 332 root certificates by default. The development of Firefox Mozilla is more stringent, lists up the root certificate of 5 stars 142 as a 'trusted certificate'. In the case of Google, it is even stricter, and only 127 root certificates are included in the list.
RootIQ is the software developed by hexatoms because it is troublesome to invalidate the root certificate list one by one to improve security. RootIQ makes it easy to choose a trusted certificate based on the root certificate list. RootIQ are published for free, download page can be downloaded from the 'Download' button of.
Extract the downloaded ZIP file with decompression software.
Click 'RootIQ.exe' in the unzipped folder to start RootIQ.
First, click 'Analyze' to analyze the root certificate that the OS currently trusts.
When the analysis is complete, the number of root certificates trusted by the OS will be displayed. Initially, the Windows default of 332 root certificates is trusted.
Select the type of root certificate list to limit the number of trusted root certificates. This time, select 'Mozilla-trusted root (2020q4)' and click 'Select'.
The root certificate included in the list is selected.
Click 'Invert selection' to invert the selected item. Certificates that are 'not included' in the list are now selected.
Right-click again and select 'Distrust' to invalidate the certificate.
A confirmation pop-up will appear, so click 'Yes'.
Certificates that are not on the list are no longer trusted.
Then select the certificate again with the 'Select' button and click 'Trust'.
Click 'Yes' and you're all set.
When I accessed a website with a root certificate that was revoked by RootIQ, I was unable to access it with a 'certificate revocation' error. By applying a strict root certificate list, you can prevent access to suspicious websites and increase security.
In addition, RootIQ does not apply the root certificate list as it is, but it properly excludes certificates that are not included in the list but are necessary for Windows communication, so OS communication may fail. there is no.
in Posted by darkhorse_log