66cats Posted April 20 Share Posted April 20 52 minutes ago, NotHereToPlayGames said: TRUST ME, it is EXTREMELY easy to release a web browser who's address bar ALWAYS ALWAYS ALWAYS shows a "secure padlock" with made-up details Are you suggesting that win32 is doing this? If not, relevance? 1 hour ago, NotHereToPlayGames said: Supermium uses an INTERNAL cert store (hidden from the user as far as I can tell) You keep stressing that, does current Chromium handle it differently, and only Supermium (& Thorium) go out of their way to obfuscate it? Genuine question. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 20 Share Posted April 20 43 minutes ago, AstroSkipper said: This statement does not refer to any cert stores. IMPLIED. But sure, I should have clarified that "WinXP" was referring to WinXP's cert store. SEMANTICS. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 20 Share Posted April 20 25 minutes ago, 66cats said: Are you suggesting that win32 is doing this? Heck No! But if we are to truly be "fair and consistent", we should fine-tooth-comb Supermium and Thorium equally and not assume either to be safer than the other. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 20 Share Posted April 20 28 minutes ago, 66cats said: does current Chromium handle it differently Chrome/Chromium has used an internal cert store in addition to the OS cert store since v105 and it has been enabled by default since v108. To the best of my knowledge, I do think that Official Chrome, Official Ungoogled Chromium, Supermium, and Thorium all fetch these as opposed to them being "bundled". I'll concede to anyone much more in-the-know. My only intent was to demonstrate that the same EXACT browser in XP will not have the same level of security as it does in 10. ECC cert shortcomings in XP has been known for a VERY long time. It is nice to see the backport cited a few posts ago, so that SHORTCOMING is being addressed. XP cert store cannot "do" ECC. But as demonstrated, Mypal only performs this because it is not using the XP cert store. How Supermium is performing this is a NIGHTMARE to figure out, it is simply UNSTABLE and pegs my CPU at 100%, crashes too often, et cetera, for me to have the patience to even ATTEMPT to sort it out. 2 Link to comment Share on other sites More sharing options...
XPerceniol Posted April 20 Share Posted April 20 (edited) 2 hours ago, NotHereToPlayGames said: Technically, I'm not a fan of INTERNAL cert stores. TRUST ME, it is EXTREMELY easy to release a web browser who's address bar ALWAYS ALWAYS ALWAYS shows a "secure padlock" with made-up details to lead the user into a FALSE sense of "security". We do have MSFN Members that would not be fooled, but trust me, it is EXTREMELY easy to do. And several HUNDRED members here would never know - not until the small handful of a half a dozen or so showed up and pointed it out. Actually to compare: 360 V11 ( I kept it for safe keeping ) did always used to come up with a green padlock whilst V13 an 13.5 some sites (that would be green in V11) willl come up as red and insecure. EDIT: Sorry struggling to make sense today Edited April 20 by XPerceniol Link to comment Share on other sites More sharing options...
AstroSkipper Posted April 20 Share Posted April 20 1 hour ago, NotHereToPlayGames said: XP cert store cannot "do" ECC. But as demonstrated, Mypal only performs this because it is not using the XP cert store. Yep! And even New Moon 28 can deal with these certificates: 4 Link to comment Share on other sites More sharing options...
XPerceniol Posted April 20 Share Posted April 20 Yeah Mypal68 and New Moon 28 are normally fine. Link to comment Share on other sites More sharing options...
Anbima Posted Sunday at 03:19 PM Share Posted Sunday at 03:19 PM 18 hours ago, AstroSkipper said: And what about that? A Windows port of the Elliptic Curve Cryptography library (ECC-LIB): https://github.com/argp/ecc-lib-win32 How can I integrate this into Windows XP? Is there an installation file or a ready-made file that I can copy to a specific folder? Unfortunately, I am not familiar with this. Link to comment Share on other sites More sharing options...
AstroSkipper Posted Sunday at 03:33 PM Share Posted Sunday at 03:33 PM (edited) 24 minutes ago, Anbima said: 19 hours ago, AstroSkipper said: And what about that? A Windows port of the Elliptic Curve Cryptography library (ECC-LIB): https://github.com/argp/ecc-lib-win32 How can I integrate this into Windows XP? Is there an installation file or a ready-made file that I can copy to a specific folder? Unfortunately, I am not familiar with this. This was just a hint that Elliptic Curve Cryptography can be ported to Windows XP. No more, no less. How this can be done, no idea. The linked project is not documented more detailed. But as you stated clearly, you like such short information. Personally, I do not really need such a port. Edited Sunday at 03:45 PM by AstroSkipper correction 3 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted Sunday at 04:03 PM Share Posted Sunday at 04:03 PM 49 minutes ago, Anbima said: How can I integrate this into Windows XP? Is there an installation file or a ready-made file that I can copy to a specific folder? Unfortunately, I am not familiar with this. It looks to me like this port is NOT something that you port directly into your XP. Rather, it is something that is "compiled" with the program that you want to then run on XP. ie, you use this to create a version of Supermium or Thorium that will "do" ECC when ran on XP. Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted Sunday at 04:53 PM Share Posted Sunday at 04:53 PM (edited) 18 hours ago, NotHereToPlayGames said: Chrome/Chromium has used an internal cert store in addition to the OS cert store since v105 and it has been enabled by default since v108. To the best of my knowledge, I do think that Official Chrome, Official Ungoogled Chromium, Supermium, and Thorium all fetch these as opposed to them being "bundled". I'll concede to anyone much more in-the-know. My only intent was to demonstrate that the same EXACT browser in XP will not have the same level of security as it does in 10. ECC cert shortcomings in XP has been known for a VERY long time. It is nice to see the backport cited a few posts ago, so that SHORTCOMING is being addressed. XP cert store cannot "do" ECC. But as demonstrated, Mypal only performs this because it is not using the XP cert store. How Supermium is performing this is a NIGHTMARE to figure out, it is simply UNSTABLE and pegs my CPU at 100%, crashes too often, et cetera, for me to have the patience to even ATTEMPT to sort it out. Correct. But even in W.10/11 in many malicious websites with (HTTPS) phishing content (this is not often the case for websites with malware content) the certificate is valid and nothing prevents the browser (at a given initial instant of time) from opening the malicious web page without any problem. P.S. In fact, I would be curious to see how your browsers (on W.XP) would treat these web pages,but the test should be done quickly after I put in the phishing link. Edited Sunday at 05:04 PM by Sampei.Nihira 3 Link to comment Share on other sites More sharing options...
FranceBB Posted Sunday at 05:17 PM Share Posted Sunday at 05:17 PM 22 minutes ago, Sampei.Nihira said: even in W.10/11 in many malicious websites with (HTTPS) phishing content (this is not often the case for websites with malware content) the certificate is valid and nothing prevents the browser (at a given initial instant of time) from opening the malicious web page without any problem. Yeah... it still baffles me to see phishing websites getting a perfectly valid certificate from Let's Encrypt. I mean, what's the point of having Certificate Authorities at this point if scammers can just get their ways around it... 2 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted Sunday at 06:49 PM Share Posted Sunday at 06:49 PM It's been that way for TWENTY YEARS. Don't for one second think that the "padlock" in that address bar really means anything at all !!! It only ever really did back when ONLY bank sites had that "padlock" !!! 1 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted Monday at 07:30 AM Share Posted Monday at 07:30 AM 14 hours ago, FranceBB said: Yeah... it still baffles me to see phishing websites getting a perfectly valid certificate from Let's Encrypt. I mean, what's the point of having Certificate Authorities at this point if scammers can just get their ways around it... If any MSFN members want to test. Warning: The link in the image is an active phishing website (at the moment). So be careful and do not enter any data. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now