Equifax Certificate Unravelling Security on Windows 10 OS (opens in new tab)

I fail to see the security issue here, the Equifax certificate in question (thumbprint: d23209ad23d314232174e40d7f9d62139786633a) has been revoked (on Windows 10 at least) - it is in the system store to protect users by being marked as revoked and thereby marking all child certificates and signatures as invalid.

I strongly suspect all the other listed certificates are also marked as revoked but I couldn't be bothered wasting my time checking.

Unless I'm misreading this, the "vulnerability" is 4 certs deployed on machines with deprecated hashing algorigthms.

The steps the author takes from that to "this could allow your machine to be compromised" are.... well tenuous at best. The idea that just because a certificate is present, an attacker will easily be able to use that to sign malware and bypass anti-malware protections as a result doesn't appear supported by the evidence presented.

This is nonsense. The self-signature on a root certificate is irrelevant unless you can easily calculate second pre-images, and that's not true even of MD5, and accepting a root doesn't mean that the validator would accept that hash function on a non-root.

Equifax is only a 1024-bit RSA key, which isn't ideal, but it expires on Aug 22nd this year and the key-size of the root doesn't impact confidentiality.