Security Issue: Trusted Root CA Certificate Installation (#276) Reported By User: d34d10cc Date: June 8, 2024 Context Launcher Version: Not applicable Operating System: Windows Antivirus/Firewall: Not specified Wine/Mono Version: Not applicable Issue Summary The launcher installs a custom Root CA certificate named "Carbon Crew" onto users' machines. This certificate is used for Authenticode verification to verify the signatures of automatically downloaded launcher executables. Security Concerns Installing a custom Root CA certificate into the OS trust store has serious security implications. Users become vulnerable to potential man-in-the-middle (MITM) attacks, as anyone with access to the private key of this CA could sign fake certificates and intercept encrypted communications. The certificate includes an unnecessarily broad and inappropriate list of key usage extensions, many of which are unknown or unrelated to the certificate's claimed purpose. The installation of this certificate is not adequately communicated or transparently disclosed to users; a README mention is insufficient. Full List of Key Usages in the Certificate Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) Code Signing (1.3.6.1.5.5.7.3.3) Secure Email (1.3.6.1.5.5.7.3.4) Time Stamping (1.3.6.1.5.5.7.3.8) Several unknown key usages (e.g., 1.3.6.1.4.1.311.2.1.21, 1.3.6.1.4.1.311.10.3.3, etc.) Microsoft Trust List Signing (1.3.6.1.4.1.311.10.3.1) Encrypting File System File Recovery IP Security end system, tunnel termination, user, IKE intermediate Smart Card Logon OCSP Signing KDC Authentication, among others. How the Certificate is Used The certificate is installed to allow verification of signatures on launcher executables. The launcher downloads the certificate from a hardcoded URL (http://crl.carboncrew.org). There is concern about the security of this hosting as well, with insufficient safeguards on certificate integrity. Potential Security Threat If the private keys were to be compromised, malicious actors could sign fraudulent certificates for any service and intercept user communications. Lack of transparency about this functionality violates standard security principles. Suggested Remediation Options Obtain an official code signing certificate Example: Certum offers open-source certificates at reasonable costs. Requires yearly renewal and public exposure of maintainer's personal details. May be undesired for cost/privacy reasons. Use sigstore or similar modern signing infrastructure Sigstore is a free, transparent code-signing solution. Integration specifics not fully detailed by reporter. Replace current verification with μthenticode or similar μthenticode verifies signatures and hash validity in PE files without relying on Windows trust store. Avoids installing a CA certificate on user machines. Verification done on-the-fly using downloaded certificates. Remove code signature verification functionality entirely Currently, updater executable is downloaded without signature verification, questioning security benefits. Using GitHub releases for the launcher but inexplicably no signature checks for updater. Install and immediately remove the CA certificate after use This would reduce exposure by not leaving the CA installed permanently. Requires re-downloading the certificate every time the launcher verifies signatures. Offers some risk mitigation given open-source transparency. Final Notes The reporter seeks clarification if any part of the above assessment misunderstands the design or intentions. The practice of installing a trusted Root CA without user consultation or clear communication is deemed a significant security breach. The reporter calls for at least transparent