Game launcher installs Root CA certificate on your machine
3 days ago
- #certificate
- #security
- #launcher
- The launcher installs a custom Root CA certificate for Authenticode verification of downloaded executables.
- Installing the 'Carbon Crew' CA certificate as a trusted Root CA exposes users to potential MITM attacks on encrypted communications.
- The certificate includes an unnecessarily broad list of key usage IDs, raising security concerns.
- The feature lacks transparent communication, with only a brief mention in the repository README.
- Suggested remediations include obtaining a legitimate code signing certificate, using sigstore, integrating μthenticode, or removing signature verification entirely.
- The current verification process has security gaps, such as not verifying the launcher updater executable.
- The CA certificate is hosted on an insecure HTTP endpoint, further compounding security risks.
- A temporary solution could involve installing and then immediately removing the CA certificate after verification.
- The practice of adding a trusted Root CA without user consent breaches security principles and requires immediate attention.