Default Trusted Root Certificates Should Not Be Trusted

Have you ever opened a new toy and immediately started dissecting all the configuration settings and software that is trusted or installed by default? If so you might be a nerd but you may have also noticed the rather long list of root certificates from certificate authorities you have never heard about. Consider this publicly available information, if the NSA is known to put backdoors in commercial software, China forces organizations to comply with Chinese intervention, supply chain risks are among the top gab at the water cooler, and more than a couple of certificate providers have been devastatingly put out of business, why would you trust something you know nothing about? Sure, there are certificates on your phone that are clearly marked with the names of government agencies but what about the less obvious ones? How do you vet the certificate authorities that you are trusting and how do you know no malicious trust has been granted by default or after system initialization and deployment? By not keeping tabs on what certificate authorities are trusted a giant hole is left in the side of your security that lets any software be run on your system and permits any connections to unusual places (such as encrypted proxying to a c&c infrastructure server). My advice, take inventory of the certificates your enterprise is trusting, scrutinize anomalies, create alerts for newly added trusts, then start reviewing what trust has been widely deployed. Default trusted root certificates should not be trusted just because your vendor said they are trusted.