Why False Web Certificates Are Dangerous and How to Get Rid of Them

secureIn the recent years, there have been more and more scandals involving fake web certificates, such as Lenovo Superfish or Dell eDellRoot. They jeopardize the systems security, exposing data to dangerous attacks or online tracking activities.

The idea of a web certificate or root certificate may rather seem a complex concept, but unfortunately, it counts amongst the latest online threats that Internet users must be aware. The problem is that, until a scandal bursts online to alert that it would be recommended to uninstall a program, most of us have no idea that we’ve ever had a problem. Not for other reason, but antivirus or anti-malware programs do not identify false or dangerous web certificates.

After Superfish or eDellRoot became well-known threats, the scale of the problem has been increasing significantly. The good part is that, after a few days, the folks at Microsoft eventually released a utility to check if all certificate signatures that are installed on the system coincide with the ones on the list approved by the Redmond giant. It would be recommended to run this utility on both new, fresh out of the box laptops, as well as old systems. Superfish was present on Lenovo PCs from the day one and few months had passed until someone eventually uncovered the threat.

How to check if you have Superfish-like certificates installed on your computer

The tool you need works exclusively in the command line and is part of the Sysinternals suite tools. It is named Sigcheck and is available from the first week of 2016. To download it for free from the Microsoft website, go to this link and click “Download Sigcheck” on the top of the web page. Subsequently, open that zip archive, download, and extract the file sigcheck.exe. You can put it on your desktop or in My Documents.

  • Open up the folder where Sigcheck.exe is located, press and keep pressed the Shift key, right-click on the white space (such as shown in the capture above), and from the context menu choose “Open command window here”.

sigcheck

  • Now you have on display a Command Prompt window with a black background. Here, just type sigcheck -tv.

Sygcheck command line

  • Wait a few minutes until Sigcheck has compared the list of certificates installed on your PC with those approved by Microsoft. In case other certificates than those listed on “Microsoft Certificate Trust List” are found, they will be listed below. Superfish, for example, should be present in a Lenovo system that has never been updated before. If everything is alright and the risk you are exposed to is zero, the message confirming the absence of any danger is: “No certificates found”.

How to get rid of a dangerous web certificate such as Superfish

In most cases, if Sigcheck identifies Microsoft uncertified signatures, those usually won’t have very suggestive names, so you won’t be able to identify their source easily. For this reason, the most effective option is search on Google for the name of the suspicious certificate or certificates detected following the scanning process.

The temptation is to remove them manually. Unfortunately, it is not the best solution because they might come suddenly back, as long as the program that created the dangerous certificate or certificates is still installed on your system. The best of both worlds is to track down the root behind the problem and remove the application. This can be done in several ways. In the Control Panel, look for “Uninstall a program” or, if you have an older operating system, go to “Programs and Features”.

Problems arise when certificates such as Lenovo Superfish or Dell eDellRoot are anchored deeper into the operating system and require taking some additional steps to be removed.

When everything else has failed so far, you can try to remove manually the fake web certificates that endanger the security of the system. For this purpose, use the Windows Certificate Management Console.

  • By typing the word certificates in the Start menu, you will be shown a list of results. From here, choose “Manage Computer Certificates”. A shortcut is to press Windows key + R, and in the dialog box that appears type certmgr.msc followed by enter.

Manage-computer-certificates

  • After waiting a few seconds, you will be popped up a window such as the one above. You must go to “Trusted Root Certification Authorities” and click “Certificates”.

installed web certificates

  • In this list, look carefully for the name of the certificate identified by Sigcheck. Right-click it and choose Delete.

Take great care not to delete something important from this list accidentally. Most certificates here are active components of the operating system and removing them could cause more problems than fixing what you need. Ideally, you should read two or three times the name of the selected certificate before deleting it from the list.

Is there a straightforward solution?

As I said above, no antivirus is currently able to eliminate faulty web certificates. Even Microsoft, which created Sigcheck, has failed to invest enough time and resources to create a friendly solution hitherto. To be realistic, a significant number of PC owners are trying to stay away from Command Prompt when it comes to fixing various problems, whatsoever their complexity. For the time being, Sigcheck is the best solution. In the future, chances that Windows Defender will be updated and set to eliminate infected root certificates, are high. Until then, follow this tutorial carefully.

Leave a Reply