What risks are you taking by having the R2R Root Certificate installed on your machine?

Discussion in 'Software' started by shaizo, Oct 28, 2023.

Tags:
Thread Status:
Not open for further replies.
  1. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    I really can't seem to find a concrete and descriptive answer.

    It's just that... I hesitated to install something in a way I had never done before. It makes sense why it needs that kind of thing to work but still. It says that its "intended" purpose is code signing and code signing only, but I don't think its "power" is limited to only that. Is there any way to make sure that it's only doing code signing?

    Any help or advice is appreciated!
     
    • Interesting Interesting x 2
    • Funny Funny x 1
    • List
  2.  
  3. shinjiya

    shinjiya Platinum Record

    Joined:
    Dec 25, 2018
    Messages:
    261
    Likes Received:
    158
    The risk is that it can be used to sign malware that will have free access to the kernel. As far as I know, that can only happen if R2R decides to distribute malware or the keys fall into a bad actor's hand.
     
  4. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846
    And I would sooner trust my computer in the hands of R2R, than any government anywhere in the world!
     
    • Agree x 17
    • Like x 3
    • Love it! x 2
    • Funny x 1
    • Winner x 1
    • List
  5. Trurl

    Trurl Audiosexual

    Joined:
    Nov 17, 2019
    Messages:
    2,480
    Likes Received:
    1,464
    Me too. BUT. Don't keep sensitive information on your DAW anyway. Just don't. :wink: Be prepared for it to become a brick and cya and life will be good.

    (Who hacks the hackers??)
     
    Last edited: Oct 28, 2023
  6. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846

    Absolutely agree 100%
     
  7. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    But... it's installed on not only my DAW but my whole PC, right?
     
  8. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    I'm left with the question: "Are root certificates limited to their intended purposes listed in certmgr.msc?"
     
  9. freefeet12

    freefeet12 Rock Star

    Joined:
    May 13, 2015
    Messages:
    898
    Likes Received:
    486
    It's good that you're getting informed.

    You can also keep your production machine offline if you're that worried about it.

    You can get another computer plenty powerful enough to go online/download with for super cheap. I've seen them for $50 or less if you really want to save. Another 60 will get you a new 2T USB 3 drive to transfer stuff with.

    Just tossing out ideas.
     
    • Agree Agree x 2
    • Winner Winner x 1
    • List
  10. Trurl

    Trurl Audiosexual

    Joined:
    Nov 17, 2019
    Messages:
    2,480
    Likes Received:
    1,464
    I mean the pc your DAW is on. Get a cheap laptop if you have to, do your banking, taxes, websurfing, whatever on it. Keep passwords on it. A $80 Chromebook can handle that stuff. Keep your warez isolated. And your porn :winker:

    (Edit, didn't see previous post)
     
    Last edited: Oct 28, 2023
    • Agree Agree x 1
    • Winner Winner x 1
    • List
  11. Granular

    Granular Noisemaker

    Joined:
    Aug 1, 2023
    Messages:
    11
    Likes Received:
    3
    I don't know too much about certificates but I know that some cert files can be used for Man in the Middle(MITM) attacks, where the cert basically can listen or manipulate the conversation. This can be basically anything, passwords, files etc. It is hard to know and I don't really know for a way to check really.

    Edit: For the kernel thing, I wouldn't necessarily say it is bad because of it. User level malware can do crazy stuff anyways. But getting rid of a kernel level malware might be way harder than user level one(for example they can persist even after a clean install) but they are very rare AFAIK.
     
  12. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    Yeah, also read about that in this article: https://www.malwarebytes.com/blog/n...shouldnt-trust-a-trusted-root-certificate/amp

    Just don't know if something similar can or can't be done if the certificate is listed only for code signing like the R2R one. Yes or no?
    Of course, in the worst scenario this can be used to sign malware but you have to download and execute that first.

    Edit: In certmgr.msc, are the intended purposes what it is supposed to do, or what it can only do?
     
    Last edited: Oct 28, 2023
  13. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    Thank you very much for the ideas, but it really doesn't currently suit me + it's inconvenient.
    Appreciate it though :wink:
     
  14. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,278
    Likes Received:
    518
    Location:
    CBGB omfug
    Who really cares? Your production machine DOES NOT BELONG on the internet so it doesn't matter. And no. There is no need for anything to be having to connect anywhere on the net in order to do production work (audio or video). For one thing having a hot internet connection loading up all sorts of junk constantly in the network stack eats up processor time and system resources that could be better spent on your production. Aside from the fact that if there is any updater junk running in the background most likely it's undoing all your hard work keeping yourself from being spied upon and or deleting your app cracks. I have heard peeps on here say that you must be net connected or some production stuff wont work. I say DISCONNECT the net, and either get the scene release of whatever app it is, or if a proper warez'd version is unavailable, shit can it and use something else entirely. One thing you can say for capitalism, there will always be another (or perhaps more than one) app to choose from that does the exact same thing.

    The R2R certificate is probably one of the most docile things you could run. Although I tend to shy away from elaborate, long-way-around type app hacks and stick with simpler ones that are more to the point. Case in point - like the already mentioned R2R/Steiny hack compared to the V.R./Steiny hack. The V.R. steiny solution is much simpler and does the job just as well or better.
     
  15. Granular

    Granular Noisemaker

    Joined:
    Aug 1, 2023
    Messages:
    11
    Likes Received:
    3
    I found this from the microsoft documents under the page "Working with Certificates - WCF":
    Also note the value of the Intended Purposes field of the certificate should include an appropriate value, such as "Server Authentication" or "Client Authentication".

    Looks like Microsoft at least says that you need to have appropriate purpose for the function of the certificate. But...
    It seems to me that the intended purpose tab is too broad and vague to conclude that. But I think, with not much confidence if I'm being honest, the authentication and code signing should be 2 different things at least.
     
  16. Deuterium

    Deuterium Kapellmeister

    Joined:
    Oct 15, 2021
    Messages:
    117
    Likes Received:
    44
    In R2R we trust:guru:
     
  17. MdB

    MdB Guest

    idk, crabs maybe ? the flu ? aids ? paranoia ?

    :dunno:
     
  18. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    After reading that, I very much agree and have the same opinion. Thank you very much for finding this!

    Edit: I'll still try to find the definitive answer to this. If I do, I'll post my findings here.
     
  19. shaizo

    shaizo Noisemaker

    Joined:
    Oct 28, 2023
    Messages:
    11
    Likes Received:
    3
    I don't have a "production machine". I have my personal PC which I would like to use to produce music in my spare time.
     
  20. RachProko

    RachProko Producer

    Joined:
    Sep 25, 2022
    Messages:
    277
    Likes Received:
    144
    Many audio products today need Internet authentication. So how would you purpose to keep your production machine off-line?
     
    • Agree Agree x 2
    • Like Like x 1
    • List
  21. eXACT_Beats_

    eXACT_Beats_ Audiosexual

    Joined:
    Apr 21, 2018
    Messages:
    764
    Likes Received:
    566
    I was going to mention something along those same lines.
    Hot-take? With no evidence whether a certificate is limited to its intended purpose, I'll stand by R2R's reputation and knowledge of 1s & 0s and say that I'd find it difficult to believe that they'd put out anything that could be easily exploited by an outside source.
     
Loading...
Thread Status:
Not open for further replies.
Loading...