Removing Thailand Government’s Certificate Authority from Microsoft Windows
This piece was written by PI Technologist Christopher Weatherhead.
As described in Privacy International’s recent report “Who’s That Knocking At My Door? Understanding Surveillance In Thailand”, the Thai government has a certificate authority in Microsoft Windows Certificate Store. This means that Windows users who use Internet Explorer, Edge or Chrome (or any program that rely on the Microsoft Certificate Store) could be vulnerable to a miss-issuance from the Thai Government or a Man-in-the-Middle attack, particularly when using the internet from within Thailand.
One of the simplest ways of mitigating this vulnerability, is to actively distrust the Thai governments certificate. This will cause certificate warnings like those below to appear when it is used. Prohibiting the connection without consent.
This guide will assist you in specifically disabling the “Thailand National Root Certification Authority — G1”, although the same principles can be used for any of the other ~46 countries’ certificate authorities in the Microsoft Certificate Store.
There are two methods of disabling the certificate in question, either via the Windows Desktop, or via the command line.
Option 1 — Removing the Certificate via the Windows Desktop
Step 1 — Open the Microsoft Management Console (mmc) [Press Windows Key + R and type mmc]
Step 2 — Add the Certificate Snap-in for the Local Computer (This will propagate changes to all users) [Open File > Add/Remove Snap-ins and select Certificates]
Step 3 — Find the Certificate by browsing to the Trusted Root Authorities sub directory (You can also right click on the Certificates node, and select “Find Certificate…”). On some versions of Windows only a subset of trusted certificates are shown, to make the Thailand Certificate show, you may have to either update the certificate store from Windows update, or open the Thai certificate here.
Just because the Thailand National Root Certification Authority does not appear DOES NOT mean its disabled.
Step 4 — Move the Certificate to the Untrusted folder, by dragging and dropping it.
If this has been completed successfully, the certificate information (that you can find either in the certificate store, or the certificate attached to this article), should be shown as “This certificate has been revoked”.
Option 2 — Removing the Certificate via the Command Line
Step 1 — Open Command Prompt [Press Windows Key + R and type cmd and press enter]
Step 2 — Download the latest certificates from Windows Update, type the following into Command Prompt window: certutil -syncwithwu %temp%
Step 3 — Update the certificates in the trust store to reflect those retrieved from Windows update type the following into Command Prompt window: for /f %i in (‘dir /s/b %temp%\*.crt’) do certutil -verify “%i
Text should start scrolling up the Command Prompt window, it will take a couple of minutes to return to the prompt
Step 4 — Add the Thai Certificate to the Disallowed store object, using its SHA1 hash: certutil -addstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt
Reversing these changes
There may come a time that these changes need to be reversed to do this, either drag the certificate back to trusted root certificate authorities folder in mmc, or run the following command:
certutil -delstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt
Credit to /u/R-EDDIT for the command line method, and their excellent post on Reddit on outlining the method above