Could merely visiting a web site push a root CA as trusted onto my PC?

security windows trusted-root-certificates

This is a follow-up question to this other question, which is about Google decision to start distrusting a specific Symantec Root CA certificate. Microsoft on another hand has not made (yet) any decision about that Root CA certificate and it is still present on my Windows 7 machine.

Update: Here's a picture of the Root CA certificate from my machine. The Thumbprint here is the same as the MD2 Version Fingerprint (SHA-1) on the Root CA certificate published by Google in their blog post:

74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

Root CA Cert that Google plans not to trust

Let's say that I delete the certificate from my PC but then later on I browse (using, say, IE v.11) to some website that identifies itself using that certificate.

Can the simple act of browsing to that site cause the certificate to be pushed to my "Trusted Root CA" certs?


Absolutely. As this root certificate is part of the Windows Trust List, the mere act of browsing to such a site (even as a non-admin user) would cause the certificate to be automatically and silently added to your machine trust store. See this blog post for more info and a test site: http://hexatomium.github.io/2015/08/29/why-is-windows/

Related

Edit a truetype font
Why do some of my devices show up twice on my routers DHCP list?
Can DRM-free Kindle books still be read on the Kindle app for PC?
How can I use Windows Firewall to only permit the Windows Update service to make an outbound connection?
Is it true that strongly-password-protected PDF can be cracked?
Connect a wireless LAN to a WAN wirelessly
How can I both pipe and display output in Windows' command line?
Choosing a Linux distribution
Take ownership of entire drive?
Desktop app for wiki like markdown/markups?
Make Excel open some hyperlinks with non-default browser
Check if PC has sufficient power for all components