Root Certificate installed during web editor setup -what for?

When you set up the web editor on a PC for the first time, it also installs a root CA certificate into the trusted root store. What is the purpose of this certificate?
This is not a general question about what certificates do - it's a specific question about why a IDE needs to place a cert in the trusted root store.
There should be a good reason to add such a cert, but I'm unable to find anything about it in the documentation.

Thanks!

It is a security measure.
That is all there is to it.

However if you don't want to install it and don't want to use the online editor that is of course your choice to make.

It is not a hidden request unlike some nefarious applications it is very open about what it is and what it is for.
I have installed the client for multiple browsers and run multiple security sweeps with a variety of software and not one has it shown in any of those as an untrusted source.

IIRC it even provides a link for you to verify too.

Thanks. However, that is not helpful.
I know what certificates do and how they work. Certificates can have many uses.
I would simply like to know how the certificate is used in the context of this application.

I did not say or imply that it was ‘hidden’ or ‘nefarious’, or even wrong. I am simply unable to find any documentation about why the editor requires it, and I’m curious.

Telling me “It is a security measure. that is all there is to it” does not explain why it is there.

Does anyone know? Is it used to verify a signature? To authenticate a server to the client? Some other purpose?

CREATE is on an "HTTPS" based site.

You are manipulating CODE live on that site.

You are also UPLOADING CODE to that site.

DOWNLOADING code to that site.

UPLOADING libraries.

DOWNLOADING libraries.

MANIPULATING files.

You can operate a serial port UP/DOWN stream.

You can also upload to IP based devices such as the YUN within your local network.

Most of that is relatively seamless.

Some of that requires co-ordination between your computer,your internal network, your local COM ports, your web browser, and a server farm (T3 i believe).

Some of the code that helps to do all that is proprietary code which also needs to be secure.

If you want to do all that at once there needs to be something in place to make sure it is YOUR sketches and that YOU are authorised to do exactly what you are doing.

I would hope you see that the need for a certain level of secure access is a must.

You can argue that there are other methods and I know there are.
However it is what was chosen and swapping that out at this stage of development / deployment would be a bit of a nightmare I can imagine.

On a personal note I too was a little wary of WHY it was needed.
However after playing with create I see why they needed something.

I already asked that this be moved to the CORRECT section for you.
If it is moved before Monday then hopefully one of the devs will give you more info as they do a pretty good job of following up on questions.
Just don't expect an answer that may need proprietary details.

EDIT

IIRC it is used to both verify AND authenticate.

Thanks for moving the post - wasn't sure which section was best for my question.

Perhaps someone in this section will be able to answer my original question.

Since the certificate in question is a trusted root, it would not be applicable for most of the use cases you listed (the Create website certificate is used for most of those items).

It's possible that it has some use for local LAN-attached things like the YUN - I'll have to investigate that.

I absolutely understand the need for security controls in this environment - that's precisely why I'd like to understand how they are implemented. To understand that, I need to first understand how the system uses the root cert that it installs.

Anyone have the answer?

I did the sane thing, and answered "No, I don't want to install this random root certificate into my system." Then tried to use the Create IDE anyway.

By exclusion, I can tell you what the root certificate is (probably) used for.

First of all, I get a visible error that reads "No Plugin Connection. Uploading is disabled until you reconnect."

Opening up the Chrome DevTools, I can see that it's trying to connect to https://localhost:8991/info and https://localhost:8992/info with the GET method a few times, and then with OPTIONS method ad infinitum.

In English: the plugin installs a tiny web server on your computer that it talks to over HTTPS with JavaScript. In order for your web browser to trust this connection, it has to have a trusted TLS/SSL certificate set up.

It's possible/probable that this is a unique, self-signed certificate per-system. In fact, it makes sense that it would be, so that they don't have to share private keys across all installed systems.

And, on looking it up, it looks like that's exactly what it does: arduino-create-agent/certificates.go at main · arduino/arduino-create-agent · GitHub

It goes a little further than "per system" to per specific browser.

Its also why some parts are proprietary and not on GIT.

You should answer the question “How to check thumbprint - is certificate really from Arduino?”.

By just accepting the certificate you are at risk of accepting wrong CA certificate, someone could have hacked install package and inserted CA that you should accept. This is one of the concerns we should have.

@MV100

you are welcome to read some of the other posts regarding the certificate and its use/issue.
I am certainly not worried about it for the many reasons posted in other threads.
BTW I dont work for Arduino in an official capacity.

If you dont wish to use CREATE there is always the desktop version.

Sorry Bob but your help isn't :frowning: any root CA should be verified or at least verifiable MV100 is correct in their concerns.

I can't find any verification on the thumbprint either, for something this widespread it should be verified as any hack with the same cert will have trusted access. This is not acceptable.

I know getting these to trusted status is expensive and I don't think anyone would mind a crowdfunded appeal to raise the required funds to ensure their safety.

Since I intend to develop data centre & security applications utilising Arduino I cannot in any conscience use the web version, which is much more convenient and up to date, and may actually have to move from the platform.

A trusted CA is meant to be 'trusted' so please don't suggest people just accept it, that is irresponsible, instead possibly point us towards who to check this with or if a member of the Arduino staff could answer instead of you would be good.

@Woolie.

It is a localised cert if you look at it close enough !

There are also different levels of CA but I expect you knew that too !

Multiple security sweeps with also multiple tools has never brought the cert into question here...But I expect you were aware of doing these sorts of sweeps too.

Just because you have more experience with certs does not help new users who have no idea what you are even on about.

There are also more topics in here regarding the cert and its usage etc. but I will guess you also read all those and found them lacking ?

Moving from the platform is of course your choice but Users come and go all the time...more stay than go seemingly.

Thanks for your reply, and I think I won't be using this forum any time soon again as your attitude to 'users' is lacking a bit, more stay than go, really. Shouldn't you be advocating staying rather than go stuff yourself.

Your also mis-informed, a root CA opens up any browser to attack if it's not a 'proper trusted' one, I made a suggestion to get it to that stage which you obviously ignored.

You definitely seem to be so sure of yourself that you will speak for the world, please don't, your not equipped to do that.

A simple question was asked and you take it on yourself to not answer but comment.

That is the definition of a forum Troll.

Unless you have information in your self appointed role regarding verifying the cert please don't bother responding, allow those that do have this information.

There’s an official response from one of the lead Arduino developers regarding this concern here:

There are a good few results using "create certificate" using the forums own SEARCH that cover that same aspect pert.

I had forgotten it was also mentioned in GITHUB...Thanks.