Removing Thailand Government’s Certificate Authority from Microsoft Windows

This piece was written by PI Technologist Christopher Weatherhead.

As described in Privacy International’s recent report “Who’s That Knocking At My Door? Understanding Surveillance In Thailand”, the Thai government has a certificate authority in Microsoft Windows Certificate Store. This means that Windows users who use Internet Explorer, Edge or Chrome (or any program that rely on the Microsoft Certificate Store) could be vulnerable to a miss-issuance from the Thai Government or a Man-in-the-Middle attack, particularly when using the internet from within Thailand.

One of the simplest ways of mitigating this vulnerability, is to actively distrust the Thai governments certificate. This will cause certificate warnings like those below to appear when it is used. Prohibiting the connection without consent.

This guide will assist you in specifically disabling the “Thailand National Root Certification Authority — G1”, although the same principles can be used for any of the other ~46 countries’ certificate authorities in the Microsoft Certificate Store.

There are two methods of disabling the certificate in question, either via the Windows Desktop, or via the command line.

Option 1 — Removing the Certificate via the Windows Desktop

Step 1 — Open the Microsoft Management Console (mmc) [Press Windows Key + R and type mmc]

Step 2 — Add the Certificate Snap-in for the Local Computer (This will propagate changes to all users) [Open File > Add/Remove Snap-ins and select Certificates]

Step 3 — Find the Certificate by browsing to the Trusted Root Authorities sub directory (You can also right click on the Certificates node, and select “Find Certificate…”). On some versions of Windows only a subset of trusted certificates are shown, to make the Thailand Certificate show, you may have to either update the certificate store from Windows update, or open the Thai certificate here.

Just because the Thailand National Root Certification Authority does not appear DOES NOT mean its disabled.

Step 4 — Move the Certificate to the Untrusted folder, by dragging and dropping it.

If this has been completed successfully, the certificate information (that you can find either in the certificate store, or the certificate attached to this article), should be shown as “This certificate has been revoked”.

Option 2 — Removing the Certificate via the Command Line

Step 1 — Open Command Prompt [Press Windows Key + R and type cmd and press enter]

Step 2 — Download the latest certificates from Windows Update, type the following into Command Prompt window: certutil -syncwithwu %temp%

Step 3 — Update the certificates in the trust store to reflect those retrieved from Windows update type the following into Command Prompt window: for /f %i in (‘dir /s/b %temp%\*.crt’) do certutil -verify “%i

Text should start scrolling up the Command Prompt window, it will take a couple of minutes to return to the prompt

Step 4 — Add the Thai Certificate to the Disallowed store object, using its SHA1 hash: certutil -addstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt

Reversing these changes

There may come a time that these changes need to be reversed to do this, either drag the certificate back to trusted root certificate authorities folder in mmc, or run the following command:

certutil -delstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt

Credit to /u/R-EDDIT for the command line method, and their excellent post on Reddit on outlining the method above

We fight for the right to privacy across the world. https://privacyinternational.org

Privacy International

Written by

Privacy International
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade