Root Certificates and Revoked Certificates for Windows XP

[mixit]

Curiouser and curiouser... Since @Dave-H and @5eraph both got a new authroots.sst, I tried again via a Tor proxy and sure enough, I got a new one this time. However, that particular MS cache didn't have the new roots.sst, but did have the new updroots.sst I got before.

Apparently we can't trust that MS servers are properly synced. Below are the SHA-256 sums of what I have now, are yours the same?

f791d5d50d72af8a804f035f06d6c4df4b880734bdb0758b802bb9b6a50fbd9b *authroots.sst
d81a9be65cbcc042c27b7892afa530ac87605a91bcf97ac446d6c37cfed10d5c *delroots.sst
5fba6710bf183bae86e41d9300614f4baeb91da677b503d4622376c434b2cae5 *disallowedcert.sst
22d619f7cab05a2d51d4a9db71694d88e66189d221b72d249a3821bea179ba9c *roots.sst
711068329f6ff50b7b9eb2418638bf9ee6cfc44e2d711b5fa1edbe68375b103c *updroots.sst

[Dave-H]

Sorry I'm not sure how to check that. 

I have just run the updater again though, and my updroots.sst has changed, it's now dated 28/02/17 instead of 12/11/16, which is good, but strangely, my disallowedcert.sst is now dated 24/05/16 instead of 25/05/16 as it was before!

 

[heinoganda]

This problem with the update server from MS I have already pointed out!

I update about 12 hours after reporting an update because of this circumstance. An indication of this problem I could well imagine, in future announcements with the Root respectively Rekoved certificate updates.

MS just wants to annoy us! 

Edited March 10, 2017 by heinoganda

[5eraph]

On 3/10/2017 at 1:18 PM, Dave-H said:

Sorry I'm not sure how to check [SHA-256 hashes]. 

HashTab has support for SHA-256.

Just received the latest updroots.sst (dated 2017-02-28).  All my hashes now match mixit's above.

[dencorso]

This is what I'm getting with @heinoganda's Cert_Updater.exe, both yesterday and today...

Quote

authroots.sst          11/11/2016 10:59 PM Roots
delroots.sst            11/11/2016 10:59 PM Roots
roots.sst                 28/02/2017 02:48 PM Roots
updroots.sst            28/02/2017 02:48 PM Roots
disallowedcert.sst    24/05/2016 05:59 PM Revoked

[heinoganda]

This should look like the following, because the MS download server seems to run quite assynchronously.
(It can also lead to a different date due to the time zones.)

Edited March 12, 2017 by heinoganda

[Dave-H]

Yes, that's exactly what I've now got, all -1 hour on the times in the first image due to the time difference between the UK and mainland Western Europe.




 

Edited March 12, 2017 by Dave-H
Correction

[heinoganda]

Interesting mainly what can happen by the time zone with the date, comparison of delroots.sst. It is a vexing subject that the download servers of MS the updated files are very late for some users.

[Monroe]

Just a simple question or two about these certificate updates. I think I saw this mentioned many pages back in this thread but not sure. I want to get this cleared up for all future discussion.

These current updates are 'only' for the IE browser that a person uses with WinXP ... probably mostly IE 8 with most people. So if a person no longer uses IE 8 or IE 6 with WinXP but another browser like Pale Moon, Firefox and such ... these updates really mean nothing or are of little use ... am I correct on this?

I am not using the WinXP POS updates ... my WinXP updates stopped in early 2014. However, these newer certificate updates can benefit those people still updating WinXP and using a version of IE.

So my question ... if I no longer use IE 8 for anything then these certificate updates have no benefit and are not needed? If a person uses Pale Moon or any other browser ... these certificate updates are of no use to any other browser that a person might be using on their computer?

Sorry for repeating or going over everything more than once but I want to nail this down once and for all ... thanks.


 

Edited March 13, 2017 by monroe
sp

[heinoganda]

As a rule, many programs that use certificate-based encryption rely on Windows's own certificate management, such as Internet Explorer and Chromium-based browsers (known errors, the Web pages with ECC certificates can not be displayed because the Windows certificate management can not process them). There are also programs that have their own certificate management, which I know, like Firefox based browsers, Oracle Java and Python. Windows itself is also dependent on current root certificates (have an expiration date) in the drivers, MS updates, NTFS based encryption of drives or directories, ect. ..... Particularly noteworthy are the current rekoved certificates, which prevent the abused root certificate still active and thus constitute a security risk.

Edited March 13, 2017 by heinoganda

[Monroe]

So after reading your post I guess a person should still apply these certificate updates ... even if they no longer receive any WinXP updates or no longer use any version of Internet Explorer.

Ok ... thanks for your reply, I will continue to download newer versions.

 

Edited March 13, 2017 by monroe
sp

[Roffen]

I am happily ignorant about what certificates are good for. I don't know and don't worry as long as I don't have any problems with the OS I am running.

Latest update here was april 19, Update for WEPOS and POSReady 2009 (KB4015193)

[Bersaglio]

6 hours ago, Roffen said:

Latest update here was april 19, Update for WEPOS and POSReady 2009 (KB4015193)

I am sorry but how Time Zone update can be related to Сertificates?

[heinoganda]

The time zone update definitely does not affect the updates from the certificates. It was in an earlier post anyhow illustrating that there may be date differences in the downloaded certificate containers can be due to the time zones. As in the case of delroots.sst.

Edited April 23, 2017 by heinoganda

[mirekprv]

This is what I'm getting with @heinoganda's Cert_Updater.exe: