Ask HN: Safe to Install Government Root Certificate?

14 points by 35mm ↗ HN
To access Spanish government services, I need to install a root certificate.

What are the security implications if any?

"To use your DNIe in your browser you need:

- Install the PKCS#11 Security Module

- Install the Root Certificate of the DNIe Certification Authority"

More info: https://www.dnielectronico.es/PortalDNIe/

20 comments

[ 2.9 ms ] story [ 44.8 ms ] thread
It can be misused by the government to spy on you - https://www.makeuseof.com/tag/what-is-root-certificate/ ... But it's also a valid use case for a government to issue certificates to access their own sites securely.
> But it's also a valid use case for a government to issue certificates to access their own sites securely.

They don't need a root certificate installed on citizen's machines for that...

Yeah something‘s super fishy about this.

I would recommend only doing this in a local VM.

They don't need it, as in, there are alternative approaches. But this approach is valid if they don't want to depend on a third party to authenticate government services.
Most governments don't have their citizens manually install root certificates... not saying that they don't have access to existing root certificates...
Browsers seem to lack a way to trust a CA only for specific domains.
Would love to see this as a ubiquitous feature—it would solve so many problems. Just for starters, it would fix the “here, install this root CA to join our mobile device management system/campus wireless network—oh oops, looks like that lets us spy on all your traffic anytime we choose” problem…
Some browsers apply restrictions to some CAs. There's support for it with X.509 nameConstraints; I don't know if support for that has increased though. Even if a browser doesn't support it in general, it can do similar things with its built in CA store.
x509 entries in the cert don't help if the cert is designed to sign false server certs... they obviously will not add the restriction to the CA.

Browsers definitely are in a position to additionally restrict their trust to certs in their store to specific hostnames. But there doesn't seem to be any UI except explicit global trust and distrust.

The security implication is that the government can use it to sign certificates for any website of their choice. This means that they can snoop and/or replace the content.

Mitigating this, there are mechanisms to keep track of which certificates are used for which websites, so this could catch them in the act.

However, note that "Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement."

Since this is the Spanish government, it seems likely they will target Catalonia somehow.

(comment deleted)
Depends if you trust your government.
Related, but why do pre-installed root certificates include certificates issued by governments like, say, Venezuela (Autoridad de Certificacion Raiz del Estado Venezolano)?

Who decides who is a trustworthy issuer?, and why can’t we, users, modify these lists? (At least on iOS)

To answer the first question, the list of trusted CAs is set by the browser/OS root store. They start from standards like the CA/Browser Forum Baseline Requirements (cf. https://cabforum.org) and then apply their own criteria as they deem appropriate. For government CAs, they sometimes don’t use the applicable public audit standards (WebTrust, ETSI), so the root stores have to decide individually whether the audit standard the entity in question does apply is sufficient to meet their requirements.

Worth noting that there’s an effort underway in the EU to take that decision out of the hands of browsers and mandate inclusions for EU CAs that meet the EU’s QWAC TSP standard, which would presumably include OP’s Spanish govt. CA.

For the inability to modify those lists on iOS, I’m with you: I would want to see the same level of modification ability for mobile platforms that we currently have on desktop OSes, but it’s up to Apple to implement that.

what benefit is this "root certificate" over letsencrypt ? why force users to install certificates? can we define what websites are compatible with a said certificate so a *.gov for example?
> what benefit is this "root certificate" over letsencrypt ?

It's issued by the spanish spy agencies rather than NSA - wouldn't you as a patriotic citizen of Spain trust your own intelligence services over foreign ones? ;) This is not a new debate though - when Let's Encrypt was launched some netizens had pointed out that similar setups existed but no one (read BigTech) embraced it till an "American" solution appeared.

There's a mention of pkcs#11 presumably for client certs.. Letsencrypt only signs host certificates.
Perhaps you can add this CA only to a dedicated browser profile?
I do not have the answer to your specific question as I have no inside knowledge of that government. To mitigate potential concerns I would install that cert into a browser that is in a virtual machine. Qubes OS [1] and Virtual Box [2] are a couple free options. Qubes is about a 5GB download. VirtualBox is a much smaller application download but would require a small desktop ISO to boot a VM from. If their site complains you are using a VM then you know something interesting is going on.

[1] - https://www.qubes-os.org/

[2] - https://www.virtualbox.org/

It depends on the root certificate usage policy.

I think they ought to be setting it for usage for client identification only.

If it's for server identification too, I wouldn't trust it.

Most certificate stores will not allow the import of a certificate that has been signed by a trusted root that it doesn't know about. That is why you're required to import that root cert.

As for what features it states that it supports ... That's another matter entirely!