pointertovoid Posted March 19, 2014 Posted March 19, 2014 Hello dear friends!Windows (and possibly some browsers, independently) knows signatures by certification companies. These companies (Verisign is a known example) authenticate web pages (https) and their content as legitimate, the browser checks the signature against the trusted list, and tells the user whether the page is certified or not.The worry is that some governmental agencies have certification keys, and these agencies or delegations have used their key to sign web pages that are fakes. These pages imitate legitimate ones, the browser tells that the signature is an acceptable one, the user gives a password, and the governmental agency knows the password for its nefarious misuses. This mechanism was suspected for long, and recently Google has denounced it accurately: one of its pages (GMail?) was faked, Google revoked the agency's key in their Chrome.Of course and as you guess, I want to revoke the signatures by this governmental agency on my computers.A mechanism exists, as Microsoft updates, to add trusted signatures on a computer. I suppose mechanisms exist to revoke some. How can I do this?Many thanks!
submix8c Posted March 19, 2014 Posted March 19, 2014 (edited) KB2728973 rvkroots.exe (Revoked Roots Update)And your XP is slow? Hmmm - allow some Untrusted Certificates to be installed that shouldn't have been?Certificates -https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cert_def.mspxParanoid much? Edited March 19, 2014 by submix8c
pointertovoid Posted March 21, 2014 Author Posted March 21, 2014 Despite using a computer, I've not become paranoid.I'll check more deeply your links. Thanks!
pointertovoid Posted April 9, 2014 Author Posted April 9, 2014 Now the HeartBleed bug has been published, which permits assaillants to get protected information from servers running SSL communications (you know, the secured https web pages), including the certified keys used by the secure website to sign its page.That is, an assaillant has the original information needed to make a nearly-perfect faked https web page (did this happen in the recent days to the Yahoo mail? Login worked abnormally here) to steal all the protected information from the page user. This includes the website's keys that are permanent, not just the "random" session keys.As a consequences, secured websites are requested to create new permanent secret keys, get a new certification, and revoke the former keys that are probably leaked.BUT, and that's my question:As a visitor to such websites, do I need to revoke some keys? To my understanding, my computer only knows the certification companies, not the certified websites, so I don't have to react.By the way, I'm not completely sure that the Heartbleed was a true bug instead of piracy. Too simple, lasted for too long - and the Heartbleed sitehttp://heartbleed.com/tells "crown jewels", which is the English code by secret services to designate especially important secrets. Before the Heartbleed bug, already the random session keys had been too little random in a bug that stank ilke a governmental attack on privacy. Leaked NSA documents also mention they defeated some SSL implementations through inside accomplices.Many thanks to the people who revealed the bugs.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now