Arduino Certificate of Aunthencity

I was installing the Arduino software and got the following message:

Code:
EA0471E5
C1E8109A
F15563E3
815F4472

should I trust this CA?

Thanks

djmdesd:
I was installing the Arduino software and got the following message:

Code:
EA0471E5
C1E8109A
F15563E3
815F4472

should I trust this CA?

Thanks

What you have posted so far is meaningless. There is no context.

What were you installing?
What was the source of the software?

Which operating system?
Linux, MacOSX, MS Windows, other

The certificate CAN be trusted and there may also be a pop up for a driver and firewall permission and they too can be trusted.

Your question is better suited to the CREATE editor section where people will understand it.

CA (Certificate Authority) are a common thing that anyone who understands the internet will know about.

I will ask they move this question for you as there is more help in that section.

And welcome to CREATE.

Just wondering on what basis the Arduino root cert can be trusted?

All the root certs provisioned to the browsers by their manufacturers conform to CAB Forum requirements as to their creation, management, security, handling, revocation, and so forth. The cost of doing that runs in the high-6 to 7-figure range (in USD), part of which includes independent on-site auditing of the root key generation ceremony as it happens, and all the attendant security controls and processes through which the cert becomes a trust anchor.

Are we saying that the Arduino root cert is CAB Forum compliant? Because it's one thing for a stand-alone IDE to trust Arduino, and another altogether to add the cert to the Windows global trust store and trust it for all system activities performed on that PC. That's a LOT of trust to grant blindly. If the cert really is CAB Forum compliant then it's arguably worthy of that trust. Otherwise, it should be embedded in the plug-in and only accessible to the plugin and not the entire system.

Without a root cert, the browser asks if you want to make an exception and allows that exception to expire with the session. It also gives the user a chance to inspect the cert presented to see if it refers to an OCSP revocation server, and whether there is an intermediate signer. Unfortunately, the plugin doesn't give the user any opportunity to view the server cert presented so it's impossible to tell without resorting to Wireshark what it looks like. That opacity of the server cert is one of the red flags suggesting the cert may not be trustworthy. The presence of SAN=localhost in a root cert is yet another red flag, as is the lack of an authoritative independent posting of the signer bundle by the Arduino CA, or for that matter any web presence whatsoever of the Arduino CA.

So if it's possible to get past an informal declaration that the cert can be trusted in the Windows global trust store for global system use and get some info as to the provenance of the cert and robustness of the managing CA, I'd like to make such an inquiry. Does anyone at Arduino care to publish details of the CA issuing the cert for the Web Create plugin?

Finally, in the absence of such info I'll suggest two plausible alternatives for a cert in the system-global trust store.

  1. Use a self-signed cert with a CA=FALSE constraint. Yeah, I know that self-signed certs have a bad rap but a root cert is a self-signed cert. The main difference is that when CA=TRUE they are not (supposed to be) used as personal certs by the server. When CA=FALSE their use as a personal cert is unusual but at least safer than what we have now because such a cert cannot sign another cert with the DN of, say, your bank, and can't be used on another site that doesn't match the SAN or CN.

  2. Use a cert signed by Lets Encrypt. They are free and renewal is automated. Of course, if the mystery SAN=localhost in the root means the server being connected to is spun up locally, that's not an option.

Still investigating this and it seems like the intended use for the cert is a local HTTPS server used by the plugin. If I'm reading the code correctly, it generates a root cert with CA=TRUE then signs a personal cert with CA=FALSE.

Why? Why not just create the root with CA=FALSE and use it as the personal cert? That would mitigate the system-wide exposure of dropping this thing into the Windows global trust store.