Microsoft silenty adds Amazon root certificates to its CTL

Microsoft has just pushed a new CTL update with 6 new root certificates, 4 of which are for a brand new root CA: Amazon. This conveniently occurs just in time for Amazon's Certificate Services go-live. But what should have been a fairly ordinary update is raising a few red flags.

  1. Amazon is reported to have some close ties to spy agencies.

  2. The new roots have not been announced by Microsoft. Their Program Participants page is oddly silent about the changes. Additionally, it's interesting that Starfield (another root acquired by Amazon last year) does not appear in there either. Hopefully that's just a coincidence - I will not to speculate on that.

  3. No other trust store provider (Mozilla, Google, Oracle) trusts these roots as of today.

RCC detecting the new roots:

By the way, if you are running any supported version of Windows, be aware that you are already effectively trusting them now, even if you do not see them in the Windows Certificate Manager.

Follow @hexatomium