While installing the Big Sur beta drivers I was prompted to change my System Certificate trust settings. After the install, I investigated my keychain and discovered that the installer had inserted a new trusted CA cert. This is big security no-no as it breaks the chain of trust in the certificate and signing system.
Making matters worse, the certificate appears to be self-signed and generated at install time. This opens up the question of where the CA private key is on the system. If that private key is on the system, it could be used by malware to sign malicious binaries that will then automatically become trusted by the OS. This would allow silent exploitation of the computer.
Can someone explain to me why the software requires the installation of such a sensitive trusted CA cert? Also why such an insecure cert and one that is valid for 2 years? Is that how long the beta is expected to last?
Here is the prompt that I was given during install
Here is the certificate that was generated at install. I have disabled trust on mine
Big Sur beta installer security concern
Moderator: Moderators
Re: Big Sur beta installer security concern
We're quite aware of the implications of adding a CA certificate to the security store. 3Dconnexion has issued a statement here on why the root CA certificate is required and what measures are in place to ensure the system integrity is not compromised.mjaustin2 wrote: ↑Wed Jun 16, 2021 11:56 am While installing the Big Sur beta drivers I was prompted to change my System Certificate trust settings. After the install, I investigated my keychain and discovered that the installer had inserted a new trusted CA cert. This is big security no-no as it breaks the chain of trust in the certificate and signing system.
A link to the statement web page is included in the certificate (see the policy qualifier section found immediately below where you took the screenshot).
The CA private key is generated and discarded during the installation process. In other words, the private key is not stored anywhere.Making matters worse, the certificate appears to be self-signed and generated at install time. This opens up the question of where the CA private key is on the system.
As noted in the statement linked above, a digital certificate is required to support web programs. We go into more detail in the statement. The certificate (there's only one) signed by the root certificate is limited to the loopback adapter range on a specific IP address (127.51.68.120). This address is unreachable from external connections. Only software already running on the computer (like a web browser and the driver) can connect over the loopback adapter.Can someone explain to me why the software requires the installation of such a sensitive trusted CA cert?
Two years is the expected time for customers to update the driver (the certificates are re-created on a driver update or reinstallation).Also why such an insecure cert and one that is valid for 2 years? Is that how long the beta is expected to last?
3Dconnexion has included this solution in 3DxWare 10 for macOS since 2016.
Nuno Gomes