CERT01 Embedded CA Bundle
What this means
SiteShadow flagged custom/embedded certificate authority (CA) bundles or trust overrides that replace (or expand beyond) the OS trust store.
Why it matters
- Trust expansion: adding extra CAs increases the chance a compromised/intercepting CA is trusted.
- MITM risk: trust overrides are often paired with relaxed verification and become exploitable.
- Maintenance risk: embedded bundles go stale and break/encourage "turn verification off."
Safer examples
1) Prefer OS trust store where possible
Rely on the platform's CA store and keep it updated.
2) If you need custom trust (enterprise), scope it tightly
- Pin only the required internal CA(s).
- Don't ship broad trust overrides in consumer builds.
3) Avoid "fixing TLS issues" by weakening verification
Solve certificate distribution/CA installation issues instead of disabling TLS verification (see T01).
How SiteShadow detects it (high level)
- Flags code/config that sets custom CA paths/bundles or overrides default trust stores.
- Highlights trust changes when paired with TLS verification relaxations.
References
- CWE-295: https://cwe.mitre.org/data/definitions/295.html
---