This week while I was away at Virus Bulletin Microsoft released an update to the root certificates they include for Windows and Internet Explorer. On its own this is not noteworthy, but I have been meaning to blog about this for a while now.
The news was that Microsoft is including a root certificate for a free SSL certificate provider. For a long time now many web site operators have complained that there has not been a provider of free certificates that would not trigger a warning by Microsoft. Other browsers have supported some root certificates from free providers, but not Microsoft.
The press release from Startcom states the update was available on September 24th. Windows 7 appears to support this without manually applying an update, however older versions of Windows need to go to http://update.microsoft.com, choose "Custom", then "Software, Optional", then tick the box for Update for Root Certificates [September 2009] (KB931125)".
That is the part I have been meaning to blog about. Why has Microsoft decided that updates to the root certificates are an optional update? With all the focus on the importance of users checking for the padlock, checking that the address bar is green, ensuring they are securely accessing sites before providing sensitive information, why has Microsoft chosen to make it a manual process to access sites that are part of the web of trust?
In order to reduce the problem of users ignoring warnings, we need to limit the quantity of warnings they see to just the really important ones. This was one of the primary criticisms of Vista's much maligned User Access Control system. It is also the same problem I expressed my concerns about with Facebook's new privacy scheme.
If you are an administrator, don't forget to peruse the available optional updates from Microsoft when managing your WSUS roll outs. It may be true that urgent security patches are covered under "High Priority", but Microsoft does occasionally decide that things which enhance security are merely "Software, Optional".