Jump to content

Root Certificates and Revoked Certificates for Windows XP


heinoganda

Recommended Posts

Thanks Den!
I don't think the article applies here as it's mainly about having no internet connection, which I have of course!
I have tried re-registering those files, I'll see if it makes any difference.
They all registered fine immediately, except for Initpki.dll, which only registered successfully after a long delay for some reason.
:dubbio:

Link to comment
Share on other sites


Thanks, I have run the updater recently, but I went into the Internet Options Content tab and deleted a huge number of expired certificates, some expired for many years, and then ran it again.
I was surprised to see that a lot of the expired certificates had come back again, but I guess that's normal and expected!
:dubbio:
I am surprised that the errors have started happening occasionally on my netbook too now, which has never even had the certificates updater installed, let-alone run, but maybe i now need to do that!
I'll see how it goes now.
:)

Link to comment
Share on other sites

MSFN sends me emails when there are new posts here.  I select and then open those emails on my Outlook Express 6 on my XP machine (on which I ran heinoganda's cert_updater twice in the last week).  Ironically, I get a certificate error message when I select or open the emails from MSFN in Outlook Express 6.  But that's just recent after not being an issue for some time.

After just looking at the emails, I click on the link in the last one to come here, and it opens in my Firefox ESR 52.8.1 (32-bit) without a problem.

Most emails in my OE6 do not generate the certificate warning, but (after running cert_updater) many from large companies do not display embedded pictures or logos - I get an empty box with a small red X.

I have run all the recent XP updates from Microsoft update and our other thread, but I have not yet run the .reg to add TLS 1.2 to my Internet Explorer.

Also, I'm just a tourist looking for the Statue of Liberty and ended up here by mistake, so a lot of the good stuff in this thread is over my head.

What do you think?

Yes, I'm uber something, but I don't think any of my Gwynneth Paltrow security is directly related to this.  Although what do I know?

Thanks, as always.

Link to comment
Share on other sites

If I understand things correctly, you don't have to add the registry entries to enable TLS 1.2 in IE8, it's already enabled by the updates.
The registry entries just add tick boxes to the Internet Options interface to allow you to disable it if you want to for any reason.
howsmyssl.com will confirm whether it's enabled or not.
:)

Link to comment
Share on other sites

Dave - H - thanks for link - very helpful!  However, I was able to confirm that the .reg was needed to turn on TLS 1.2 in my IE8.  And, now, that has been done.

I am now seeing more embedded pictures in emails.  But emails from MSFN still trigger the certificate warning.  (Oh the irony!)

From your link, my IE8 is Good due to new use of TLS 1.2, but it remains Bad in one way: 
"Insecure Cipher Suites.  Bad.   Your client supports cipher suites that are known to be insecure:
"TLS_RSA_WITH_3DES_EDE_CBC_SHA: This cipher suite uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order. 
"TLS_RSA_WITH_RC4_128_SHA: This cipher suite uses RC4 which has insecure biases in its output."

Can that be fixed with a pill?

Link to comment
Share on other sites

Ah thanks, I was wrong about the registry entries in that case. I just assumed because the options were already ticked when I added them to the interface that the options were already enabled. Obviously not!
The wrong security certificates picked up by howsmyssl.com are mentioned in the thread here.
I don't think they're anything to worry about, but somebody said they had deleted them with no dire consequences!
What are the errors you're seeing? Are they name mismatches?
:dubbio:

Edited by Dave-H
Addition
Link to comment
Share on other sites

@Dave-H

In no case should a manual deletion of invalid certificates occur in the Certificate Manager, unless the certificate can be assigned exactly. Typically, a certificate update (cert_updater) deletes the certificates that are no longer needed based on the downloaded "delroots.sst" file. Certificates that were imported manually are not deleted in this process! Recently I offered you the certificates from the file "delroots.sst", which are still valid within the time frame (only in this file the invalid certificates were deleted).

@glnz

Still working with Outlook Express 6, corresponds with Internet Explorer 6. Using an e-mail from Dave-H could open the images with HTTPS proxy in OE6 without certificate error message. The first possibility would be to upgrade OE6 with current encryption technologies (I think more of Santa Claus), the second possibility to use OE6 with HTTPS Proxy (ProxHTTPSProxyMII) and as a third option a more modern e-mail client.


:)

Link to comment
Share on other sites

Dave-H and heinoganda, for what it's worth, my certificate error messages are at this link:

<LINK>

Heinoganda - thanks for clarity on OE6 = IE6.  yes, that means I need a new email app, but then I should quit struggling with XP and move on to my 7 + 10 machine.  That would make me sad.

Unless you know of an OE8.

Edited by glnz
Link to comment
Share on other sites

@glnz

It should now also be known to you, that with each more recent update with "cert_updater" gradually root certificates are deleted with outdated, insecure encryption technologies (since there are no more modern encryption technologies in OE6, these problems occur). I do not know OE8 (make MS the suggestion for an OE6 successor), that's what Live Mail is known to me. Since I still use my OE6 like you, it does not work without an HTTPS proxy! :yes:

By the way, your link to the doc file works through Internet Explorer 8 only with HTTPS proxy!

:)

Edited by heinoganda
Link to comment
Share on other sites

2 hours ago, heinoganda said:

@Dave-H

In no case should a manual deletion of invalid certificates occur in the Certificate Manager, unless the certificate can be assigned exactly. Typically, a certificate update (cert_updater) deletes the certificates that are no longer needed based on the downloaded "delroots.sst" file. Certificates that were imported manually are not deleted in this process! Recently I offered you the certificates from the file "delroots.sst", which are still valid within the time frame (only in this file the invalid certificates were deleted).
:)

Are you saying that certificates should never be manually deleted from the lists in the Internet Options>Content tab?
Sorry I'd forgotten about the delroots.sst you gave me, but I have still got it saved!
No more errors as yet, but if they return I'll try the procedures again.
:)

Link to comment
Share on other sites

1 hour ago, Dave-H said:

Are you saying that certificates should never be manually deleted from the lists in the Internet Options>Content tab?

If a certificate is deleted, causing various problems, then this is certainly not a good idea. At least in your case the "cert_updater" was not to blame. :D

By the way, I have an updated version of ProxHTTPSProxyMII. If interested, send me a PM.

:)

Edited by heinoganda
Link to comment
Share on other sites

On 6/19/2018 at 10:59 AM, glnz said:

Dave - H - thanks for link - very helpful!  However, I was able to confirm that the .reg was needed to turn on TLS 1.2 in my IE8.  And, now, that has been done.

I am now seeing more embedded pictures in emails.  But emails from MSFN still trigger the certificate warning.  (Oh the irony!)

From your link, my IE8 is Good due to new use of TLS 1.2, but it remains Bad in one way: 
"Insecure Cipher Suites.  Bad.   Your client supports cipher suites that are known to be insecure:
"TLS_RSA_WITH_3DES_EDE_CBC_SHA: This cipher suite uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order. 
"TLS_RSA_WITH_RC4_128_SHA: This cipher suite uses RC4 which has insecure biases in its output."

Can that be fixed with a pill?

You can disable the RC4 cipher with RegEdit. Navigate to the "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" key and create a new DWORD value named "Enabled". Leave the value at 0.

You can disable the 3DES cipher the same way. That will make howsmyssl.com happy, but when I tried it, I could no longer access MU; so I re-enabled 3DES. It isn't that insecure....

Link to comment
Share on other sites

On 6/19/2018 at 3:13 PM, glnz said:

Dave-H and heinoganda, for what it's worth, my certificate error messages are at this link:

<LINK>

Heinoganda - thanks for clarity on OE6 = IE6.  yes, that means I need a new email app, but then I should quit struggling with XP and move on to my 7 + 10 machine.  That would make me sad.

Unless you know of an OE8.

Looks like MSFN is using a self-signed certificate for some of the content of their emails. I don't get their emails so I don't know.

You can fix the first "!" by clicking "Install Cert" and installing the certificate as a trusted root certificate, but I don't think that will fix the last "!".

As for OE8, there is none; the closest is probably Windows Live Mail (2009 version). You'll need the offline Windows Live 2009 installer. It's very similar to OE6, except with a more "Vista-esque" appearance. At least it will migrate your OE6 emails, unlike many other email clients.

Link to comment
Share on other sites

The last "!", the name mismatch, you can get rid of by going to Control Panel>Internet Options>Advanced>Security and unticking "Warn about certificate address mismatch".
:yes:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...