Big Sur beta installer security concern

Questions and answers about 3Dconnexion devices on macOS.

Moderator: Moderators

Post Reply
mjaustin2
Posts: 1
Joined: Wed Jun 16, 2021 11:13 am

Big Sur beta installer security concern

Post by mjaustin2 »

While installing the Big Sur beta drivers I was prompted to change my System Certificate trust settings. After the install, I investigated my keychain and discovered that the installer had inserted a new trusted CA cert. This is big security no-no as it breaks the chain of trust in the certificate and signing system.

Making matters worse, the certificate appears to be self-signed and generated at install time. This opens up the question of where the CA private key is on the system. If that private key is on the system, it could be used by malware to sign malicious binaries that will then automatically become trusted by the OS. This would allow silent exploitation of the computer.

Can someone explain to me why the software requires the installation of such a sensitive trusted CA cert? Also why such an insecure cert and one that is valid for 2 years? Is that how long the beta is expected to last?

Here is the prompt that I was given during install
Cert1.jpg
Cert1.jpg (80.85 KiB) Viewed 2902 times

Here is the certificate that was generated at install. I have disabled trust on mine
Cert2.jpg
Cert2.jpg (161.27 KiB) Viewed 2902 times
ngomes
Moderator
Moderator
Posts: 3318
Joined: Mon Nov 27, 2006 7:22 am
Contact:

Re: Big Sur beta installer security concern

Post by ngomes »

mjaustin2 wrote: Wed Jun 16, 2021 11:56 am While installing the Big Sur beta drivers I was prompted to change my System Certificate trust settings. After the install, I investigated my keychain and discovered that the installer had inserted a new trusted CA cert. This is big security no-no as it breaks the chain of trust in the certificate and signing system.
We're quite aware of the implications of adding a CA certificate to the security store. 3Dconnexion has issued a statement here on why the root CA certificate is required and what measures are in place to ensure the system integrity is not compromised.

A link to the statement web page is included in the certificate (see the policy qualifier section found immediately below where you took the screenshot).
Making matters worse, the certificate appears to be self-signed and generated at install time. This opens up the question of where the CA private key is on the system.
The CA private key is generated and discarded during the installation process. In other words, the private key is not stored anywhere.
Can someone explain to me why the software requires the installation of such a sensitive trusted CA cert?
As noted in the statement linked above, a digital certificate is required to support web programs. We go into more detail in the statement. The certificate (there's only one) signed by the root certificate is limited to the loopback adapter range on a specific IP address (127.51.68.120). This address is unreachable from external connections. Only software already running on the computer (like a web browser and the driver) can connect over the loopback adapter.
Also why such an insecure cert and one that is valid for 2 years? Is that how long the beta is expected to last?
Two years is the expected time for customers to update the driver (the certificates are re-created on a driver update or reinstallation).

3Dconnexion has included this solution in 3DxWare 10 for macOS since 2016.
Nuno Gomes
Post Reply