Installing a root certificate should be MUCH scarier

The news that Facebook had spent years paying teens to install a surveillance kit called "Facebook Research" had a key detail: as part of the program, Facebook had its users install a new "root certificate."

Root certificates are a key vulnerability in the public key infrastructure (PKI) that is used to protect virtually all of our secure communications, from protecting your privacy when exchanging messages or viewing web-pages, to ensuring that the software updates you install are what they appear to be, and not malicious code masquerading as legit updates.

And because of how PKI works, installing a single untrusted root certificate makes every connection you make from then on unreliable. A single mistake, in other words, can make you comprehensively, totally vulnerable.

So it's especially disturbing that installing a root cert is really easy to do: major OSes throw up a few pro forma warnings, but nothing that even hints at the kind of trouble you could be getting yourself into — seriously, the warnings are less stern than the injunction you used to get by default before you made your first Usenet post.

In an excellent Deeplinks post, the Electronic Frontier Foundation's Sydney Li and Jacob Hoffman-Andrews show just how underpowered the warnings over root certs are, and discuss what a good warning should look like.

On both iOS and Android, users installing a root certificate click through a process filled with vague jargon. This is the explanation users get, with inaccessible jargon bolded.

Android: "Note: The issuer of this certificate may inspect all traffic to and from the device."

iOS: "Installing the certificate "" will add it to the list of trusted certificates on your iPhone. This certificate will not be trusted for websites until you enable it in Certificate Trust Settings."

Regular users probably don't know about the X.509 Certificate ecosystem, who certificate issuers are, what it means to "trust" a certificate, and its relationship to encrypting their data. On Android, the warning is vague about who has what capabilities: an "issuer … may … inspect all traffic". On iOS, there's no explanation whatsoever, even in the "Certificate Trust Settings," about why this may be a dangerous action.

Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary
[Sydney Li and Jacob Hoffman-Andrews/EFF Deeplinks]

(Image: Kevin Dooley, CC-BY)