[OffTopic] CSR Harmony Wireless Software Stack injects weak root certificate into trust store


#1

This has nothing to do with Let’s Encrypt, but after another issue I looked a bit more closer into my root cert store and I’ve found something interesting.

I was quite surprised as I saw too very suspicious root certificates in my CA store.
These were installed by a Bluetooth driver from CSR. Obviously this
enables interception of HTTPS connections if the private key is found.

Additionally it injected certs into the “trusted publisher store”, which means it can also fake digital signatures.
The worst thing are the certificates itself - they are 1024bit RSA
certificates, which are very insecure, so that it may be possible to
crack the public key and get out the private key.

More information here: https://pastemarkdown.com/Su5Ch

And here you can see how it injects it:

German (shortened) version is here BTW: https://www.computerguard.de/threads/root-zertifikate-von-csr-harmony-wireless-software-stack-installiert.9803/