What risks are you taking by having the R2R Root Certificate installed on your machine?

Discussion in 'Software' started by shaizo, Oct 28, 2023.

Tags:
Thread Status:
Not open for further replies.
  1. Crinklebumps

    Crinklebumps Audiosexual

    Joined:
    Nov 1, 2017
    Messages:
    983
    Likes Received:
    713
    Location:
    UK
    Aside from the obvious risks of installing the R2R certificate it's also important to consider that the machines that it passes through before being uploaded to audiosex.pro are an opportunity of interception. Therefore it's critical that the admins here remain hypervigilant to communications from unknown sources and attacks on their devices. These days hackers exploit people. I do trust the admins but I have no idea of the level of their expertise. Nor am I questioning it, just making a point.
     
  2. Rain Drum

    Rain Drum Noisemaker

    Joined:
    Jan 14, 2023
    Messages:
    27
    Likes Received:
    6
    May I ask which release included discussed Root Certificate?
     
  3. iw

    iw Producer

    Joined:
    Sep 24, 2019
    Messages:
    248
    Likes Received:
    103
    Cubase 12
     
  4. nomojo

    nomojo Noisemaker

    Joined:
    Mar 17, 2023
    Messages:
    9
    Likes Received:
    6
    I can't be of any technical help, but pondering the question and in my own circumstances... I'm more likely to unintentionally press the perfect key combination to see screen messages such as, 'File foobared' or 'Contents of Studio drive have been deleted. Press spacebar to begin recording.
    Just my round-a-bout way of saying it's an excellent question to to ask, though if you're an idiot like me, there are bigger concerns nearby.
    Cheers! :D
     
    • Funny Funny x 1
    • Love it! Love it! x 1
    • List
  5. iw

    iw Producer

    Joined:
    Sep 24, 2019
    Messages:
    248
    Likes Received:
    103
  6. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    I made this thread because I couldn't find a concrete answer there.

    It's not for Cubase. I am asked to install the certificate to get the latest Plogue ARIA Engine release.
     
  7. iw

    iw Producer

    Joined:
    Sep 24, 2019
    Messages:
    248
    Likes Received:
    103
    I installed the certificate on March 13, 2022, if you don't trust R2R, better skip
     
  8. gzilla

    gzilla Ultrasonic

    Joined:
    Aug 30, 2015
    Messages:
    79
    Likes Received:
    21
    Why you risk your PC just for free app. Skip it if you don't feel safe.
     
  9. ZUK

    ZUK Rock Star

    Joined:
    Aug 24, 2011
    Messages:
    564
    Likes Received:
    351
    R2R can enter your computer and take all the information and sell it. :thumbsup:
    Joking apart. I trust in R2R.
     
  10. twoheart

    twoheart Audiosexual

    Joined:
    Nov 21, 2015
    Messages:
    2,099
    Likes Received:
    1,304
    Location:
    Share many
    If you type CERT in the search bar and click "computer certificates", you can see which root certificates are allowed and to which purposes they are limited.

    If you have the R2R cert installed, you can see that it is only authorized for code signing (apps). This means that R2R can only create certs inside an app using their private key, which can then be installed on your computer by using their trusted root CA.

    Currently, you can install programs under windows without problems, which are not signed. This can (and will) change in the long run, as apple has done. So R2R is only planning for the future (when windows only accepts signed software) Read their readme.

    A problem can only arise if R2R's private key becomes known or R2R wants to install malicious programs. I think both are unlikely.

    But even in these cases, the virus scanner would respond. It does not check whether a program is malicious on the basis of the certification only.

    When in the near future signed apps are the standard ... for example, to remotely control your computer, three criteria would have to be met:
    1. you install the root CA from R2R
    2. you install the program signed by R2R or another vendor with R2R's private key with a backdoor inside.
    3. your virus scanner does not recognize that it is a backdoor.

    Backdoorrs are easily recognizable by virusscanners because they need several ports and a datatransfer mechanism. So they are likely not installed when an a/v is active.

    So, all in all the risk is low. (There is more of a risk with apps singed by using e.g. Let's encrypt imho. And their cert CAs are ubiquitous in recent years.)

    P.S.: What is a root CA and who used them for an attck (but they were not limited to codesigning but SSL etc)...
    https://en.wikipedia.org/wiki/Root_certificate
     
    Last edited: Oct 30, 2023
    • Winner Winner x 3
    • Like Like x 1
    • List
  11. towerdefense

    towerdefense Guest

    I installed it and my computer's background turned into the soviet flag & the russian anthem started blaring on my speakers. Also, all my messages are hijacked to have pro-russian propaganda inserted into them. Never trusting R2R again.

    Слава государству Российскому!
     
    • Funny Funny x 3
    • Love it! Love it! x 2
    • List
  12. trz303

    trz303 Platinum Record

    Joined:
    Jun 29, 2011
    Messages:
    300
    Likes Received:
    153
    On my side I trust R2R more than Microsoft. R2R nevers disapoint, I installed it since release and no problem so far.
     
  13. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    862
    Likes Received:
    1,227
    Btw. V.R installers install a root certificate as well but without telling or asking you.
    You should more worry about that than the R2R certificate.

    But such certificates also have a very good benefit.

    Since Microsoft decided to add some new rules to their general terms and conditions that allows them
    to monitor everything you do and track down every file you store/open using AI (in future builds from October 2023 on),
    certified apps/plugins probably won't be affected. Therefore R2R makes sure that we still can use their releases
    on future versions of Windows (e.g. Windows 12).

    In the most recent Windows 11 build I already found something called "Windows AI Machine Learning API"...
    so I removed it as well as I completely removed Windows Defender as I believe they'll use that piece of crap software
    to scan everything everytime. Btw. Windows 11 runs a lot faster without defender + it takes about a GB less of memory.
    There were also rumors that it then becomes risky to even store "private" photos from your cohabitants on a disk as MS
    could flag them as whatever they want and store an information about it on their servers.
     
    • Agree Agree x 3
    • Interesting Interesting x 3
    • List
  14. Zenarcist

    Zenarcist Audiosexual

    Joined:
    Jan 1, 2012
    Messages:
    4,268
    Likes Received:
    2,737
    Location:
    Planet Earth
    Or you could install Linux on a bootable external USB drive.
     
  15. GeoffreyMcJefferson

    GeoffreyMcJefferson Kapellmeister

    Joined:
    Mar 17, 2023
    Messages:
    94
    Likes Received:
    53
    Who the fuck uses Windows 11 anyway? As soon as the software I use stops supporting Windows 10, I'm gonna move on to Linux and never look back again. Only tech illiterate idiots would voluntarily use Windows 11.
     
  16. iw

    iw Producer

    Joined:
    Sep 24, 2019
    Messages:
    248
    Likes Received:
    103
    @r4e

    I didn't find this... "Windows AI Machine Learning API"... In my Windows 11 Pro 22H2.

    P.S. Could you please explain how it is removed. :)
     
    Last edited: Oct 30, 2023
  17. famouslut

    famouslut Audiosexual

    Joined:
    Dec 31, 2015
    Messages:
    1,421
    Likes Received:
    929
    The three biggest risks from installing an r2r root certificate: using uvi products, accidentally dressing as an anime character, wearing a pointy hat because witchpreciation? (I guess only the first is a risk, technically)
     
  18. freefeet12

    freefeet12 Rock Star

    Joined:
    May 13, 2015
    Messages:
    897
    Likes Received:
    486
    Offline auth if they offer it (all mine do) and or use alternative plugins/soft. it's not like UAD plugins, for example, are magic or something. IMO they're just really greedy, always have been, and will punish their legit users with exaggerated protection methods that liter their machines just to try and squeeze every last cent they believe they can. It also gives them an air of exclusivity and therefor perceived superiority to some.

    You can also buy a product to support the company and use the fixed version, if available and done right, in your machine. I say fixed because It's sometimes an advantage, memory and speed wise, to do so.
     
  19. capitan crunch

    capitan crunch Producer

    Joined:
    Jul 15, 2023
    Messages:
    246
    Likes Received:
    124
    Location:
    euro dictatorship
    It's a conspiracy and we are all involved.
     
  20. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,387
    Likes Received:
    3,254
    It's pretty funny though, that legit users never complain about this at all. And the only people who worry about those legit users machines are people running the stuff cracked. 99% of the time it's simply an excuse. :bow:

    Do you really need some elaborate reason to justify what you are doing? Maybe you might want to do that in other places, but surely not here. Aren't we all in on the secret by now?
     
Loading...
Thread Status:
Not open for further replies.
Loading...