This discussion is archived
8 Replies Latest reply: Jul 7, 2011 8:45 AM by 873850 RSS

why change cacerts password?

873850 Newbie
Currently Being Moderated
Hello everybody,

I have read in numerous manuals on the 'net that system administrators should change the password of the "cacerts" file after installation of the JRE. I am a bit confused as to why this must be done, or rather, why that file needs to be password-protected at all. Here's my rationale:

My valuable private keys are stored in my own keystore file. This keystore is, of course, password-protected and accessible only to users that need to.

I'm not going to modify the cacerts file, only my own keystore (e.g. import trusted certificates).

The cacerts file contains only certificates, no private keys. The certificates are the default ones, i.e. those of publicly known CAs. No attacker would gain any valuable information from reading the cacerts file.

To modify the cacerts file, an attacker would have to gain root privileges first, since the permissions on the cacerts file demand that (this is the default on Ubuntu).

On the other hand, why should an attacker that has already gained root privileges bother inserting a rogue certificate into the cacerts file? He might as well set up his own keystore, with a password of his choice, and configure software to use that. Or just tamper with the system in any other way that root privileges allow, including file system scans and keyloggers to gain knowledge of the password to my own keystore and extract my private keys, which seems far worse to me.
  • 1. Re: why change cacerts password?
    EJP Guru
    Currently Being Moderated
    The attacker won't gain anything from reading the file, but he will gain something from being able to modify the file. And the password is only required when modifying the file. If you supply it when reading, all that happens is an extra verification step.

    The cacerts file contains public certificates of the certificate signers you are prepared to trust. If you don't care who you trust, don't change the password. But in that case why have a cacerts file at all, and why use SSL at all?
  • 2. Re: why change cacerts password?
    873850 Newbie
    Currently Being Moderated
    Thank you for your reply.
    EJP wrote:
    The cacerts file contains public certificates of the certificate signers you are prepared to trust. If you don't care who you trust, don't change the password. But in that case why have a cacerts file at all, and why use SSL at all?
    As I explained above, I certainly do not want attackers to be able to insert rogue certificates into the cacerts file. I understand that such an insertion would cause my software to accept the rogue certificate as trusted an be susceptible to man-in-the-middle attacks or spoofing.

    However, I fail to see how an attacker could manage to modify the cacerts file (which is, after all, owned by the root user and has permissions set to rw-r--r--) without at the same time being able to cause much greater damage, such as

    - executing arbitrary commands as root and running his own software
    - creating his own keystore containing rogue certificates and reconfigure software to use that keystore instead of my own
    - copy my own keystore as well as running keyloggers and disk scanning programs to obtain my keystore password, thus obtaining my private keys.
  • 3. Re: why change cacerts password?
    sabre150 Expert
    Currently Being Moderated
    >
    However, I fail to see how an attacker could manage to modify the cacerts file (which is, after all, owned by the root user and has permissions set to rw-r--r--) without at the same time being able to cause much greater damage,
    If your attacker was just being malicious then fair enough. I have backups of all my important stuff to cover this case. I am more worried about the attacker who is not malicious but is trying to get hold of my identity or money. Adding a rogue certificate to your cacerts will certainly help the attacker with this aim. Of course if the attacker can replace the cacerts file then you still have a problem!
  • 4. Re: why change cacerts password?
    873850 Newbie
    Currently Being Moderated
    If your attacker was just being malicious then fair enough. I have backups of all my important stuff to cover this case.
    Same for me, so this is not a problem here.
    I am more worried about the attacker who is not malicious but is trying to get hold of my identity or money.
    Adding a rogue certificate to your cacerts will certainly help the attacker with this aim. Of course if the attacker
    can replace the cacerts file then you still have a problem!
    I agree that an attacker who is able replace the cacerts file poses a serious problem. That is actually my point: Any attacker who has gained the privileges needed to alter the cacerts file, thus make use of the fact that I left the default password, is able to steal my private keys without altering that file.

    Hence my logic that the password protection of the cacerts file does not provide any additional security. Is that correct?

    (I am asking because of the "manuals" on the 'net which just tell me to alter the password without giving an in-depth explanation, and I think that not knowing what is actually going on is a bad premise for system security)
  • 5. Re: why change cacerts password?
    sabre150 Expert
    Currently Being Moderated
    >
    Hence my logic that the password protection of the cacerts file does not provide any additional security. Is that correct?
    Maybe it does not provide any additional security but does it reduce the security? If it doesn't reduce the security then what's the harm?

    >
    (I am asking because of the "manuals" on the 'net which just tell me to alter the password without giving an in-depth explanation, and I think that not knowing what is actually going on is a bad premise for system security)
    Maybe the writers of the manuals are not sure of the benefit of changing the password so are just protecting their backsides. Also, there are a lot of not so expert security experts pontificating on security matters. Who me? No - I pontificate on any subject (witness this thread) but have never said I am a security expert!
  • 6. Re: why change cacerts password?
    gimbal2 Guru
    Currently Being Moderated
    870847 wrote:
    On the other hand, why should an attacker that has already gained root privileges bother inserting a rogue certificate into the cacerts file?
    Don't underestimate people with an actual purpose. If you can gain root access to a system and you make attempts to modify this file, you have specific intent, not general destructive intent. Having an additional layer of protection even against the god of the system is yet another barrier to break.
  • 7. Re: why change cacerts password?
    796440 Guru
    Currently Being Moderated
    870847 wrote:
    (I am asking because of the "manuals" on the 'net which just tell me to alter the password without giving an in-depth explanation, and I think that not knowing what is actually going on is a bad premise for system security)
    I suppose the author could be writing from the perspective of, "Don't assume the OS's/FS's security will prevent unauthorized modification." So, while you and I can't imagine putting the file somewhere that someone without root/Administrator/etc. access has system-level permission to write it, perhaps the author can imagine such a situation.

    Or perhaps it's simple compartmentalization. You may trust me with root access to your system, but not with write access to your certs. True, this means that in your specific case (and any normal case I can think of), having the first makes the second irrelevant, but again, the author may be speaking to the abstract, without assumptions about the specific OS and its security model.

    Just speculatin' over breakfast...

    EDIT: Oh, great, it's back to displaying my number again instead of my nick. Jverd here.

    Edited by: 793437 on Jul 7, 2011 7:31 AM
  • 8. Re: why change cacerts password?
    873850 Newbie
    Currently Being Moderated
    Thanks to all of you for your help. I will certainly consider what you have written, but I have to say that in this case it probably means that I will leave the default password. (I can safely write this here and not keep it secret because it's what any attacker would try first anyway).
    Maybe it does not provide any additional security but does it reduce the security? If it doesn't reduce the security then what's the harm?
    That I can say easily. It means to reconfigure all programs that try to use the cacerts file to access the default CA certificates. Since there is no standardized way to "configure a program", that definitely sounds like admin hell. On top of that, changing the password means modifying the cacerts file -- a file that was installed via the package manager -- which implies taking chances on a package upgrade.
    Maybe the writers of the manuals are not sure of the benefit of changing the password so are just protecting their backsides.
    Sounds like a good guess. That's why I asked this here, to know what I'm doing ;)
    Having an additional layer of protection even against the god of the system is yet another barrier to break.
    Definitely, but it would mean building a strong wall while leaving the door wide open, considering how simple it is for the god of the system to gain access to my private keys. If I knew any way to limit the damage that an attacker could cause with a hijacked root user, then I'd worry about a cacerts file with rogue certificates being inserted. Sadly, I don't.
    So, while you and I can't imagine putting the file somewhere that someone without root/Administrator/etc. access has system-level permission to write it, perhaps the author can imagine such a situation.
    I guess I could come up with such situations rather easily, but I was a bit puzzled that the author(s) unconditionally recommended to change the password.

    ---

    That being said, documentation from the internet surely has to be taken with a grain of salt. For example, the Tomcat manual (from which I first learned about "changeit" some time ago) suggested to use that password for the actual keystore (not the cacerts file). I guess that is so you don't have to change the Tomcat configuration, although I'm guessing here. At that time, I thought that it was some "magic" value and not actually a suggested password. Now stop and think how many Tomcat-based servers are probably using a keystore file with private keys in it, accessible to the tomcat user account and "protected" by the default password because that's what the manual suggests...

    Anyway, thanks & have a nice day!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points