Jump to content

Root Certificates and Revoked Certificates for Windows XP

heinoganda

By heinoganda
in Windows XP

 Share

Recommended Posts

66cats

66cats

Posted
Posted
52 minutes ago, NotHereToPlayGames said:

TRUST ME, it is EXTREMELY easy to release a web browser who's address bar ALWAYS ALWAYS ALWAYS shows a "secure padlock" with made-up details

Are you suggesting that win32 is doing this? If not, relevance?

 

1 hour ago, NotHereToPlayGames said:

Supermium uses an INTERNAL cert store (hidden from the user as far as I can tell)

You keep stressing that, does current Chromium handle it differently, and only Supermium (& Thorium) go out of their way to obfuscate it? Genuine question.

Link to comment
Share on other sites

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
28 minutes ago, 66cats said:

does current Chromium handle it differently

Chrome/Chromium has used an internal cert store in addition to the OS cert store since v105 and it has been enabled by default since v108.

To the best of my knowledge, I do think that Official Chrome, Official Ungoogled Chromium, Supermium, and Thorium all fetch these as opposed to them being "bundled".

I'll concede to anyone much more in-the-know.

My only intent was to demonstrate that the same EXACT browser in XP will not have the same level of security as it does in 10.

ECC cert shortcomings in XP has been known for a VERY long time.

It is nice to see the backport cited a few posts ago, so that SHORTCOMING is being addressed.

XP cert store cannot "do" ECC.  But as demonstrated, Mypal only performs this because it is not using the XP cert store.

How Supermium is performing this is a NIGHTMARE to figure out, it is simply UNSTABLE and pegs my CPU at 100%, crashes too often, et cetera, for me to have the patience to even ATTEMPT to sort it out.

2
Link to comment
Share on other sites
XPerceniol

XPerceniol

Posted
Posted (edited)
2 hours ago, NotHereToPlayGames said:

Technically, I'm not a fan of INTERNAL cert stores.

TRUST ME, it is EXTREMELY easy to release a web browser who's address bar ALWAYS ALWAYS ALWAYS shows a "secure padlock" with made-up details to lead the user into a FALSE sense of "security".

We do have MSFN Members that would not be fooled, but trust me, it is EXTREMELY easy to do.

And several HUNDRED members here would never know - not until the small handful of a half a dozen or so showed up and pointed it out.

Actually to compare: 360 V11 ( I kept it for safe keeping ) did always used to come up with a green padlock whilst V13 an 13.5 some sites (that would be green in V11) willl come up as red and insecure.

EDIT: Sorry struggling to make sense today

Edited by XPerceniol
Link to comment
Share on other sites
Anbima

Anbima

Posted
Posted
18 hours ago, AstroSkipper said:

And what about that? A Windows port of the Elliptic Curve Cryptography library (ECC-LIB): https://github.com/argp/ecc-lib-win32

How can I integrate this into Windows XP?
Is there an installation file or a ready-made file that I can copy to a specific folder?
Unfortunately, I am not familiar with this.

Link to comment
Share on other sites
AstroSkipper

AstroSkipper

Posted
Posted (edited)
24 minutes ago, Anbima said:
19 hours ago, AstroSkipper said:

And what about that? A Windows port of the Elliptic Curve Cryptography library (ECC-LIB): https://github.com/argp/ecc-lib-win32

How can I integrate this into Windows XP?
Is there an installation file or a ready-made file that I can copy to a specific folder?
Unfortunately, I am not familiar with this.

This was just a hint that Elliptic Curve Cryptography can be ported to Windows XP. No more, no less. How this can be done, no idea. The linked project is not documented more detailed. But as you stated clearly, you like such short information. :P Personally, I do not really need such a port. :no:

Edited by AstroSkipper
correction
3
Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
49 minutes ago, Anbima said:

How can I integrate this into Windows XP?
Is there an installation file or a ready-made file that I can copy to a specific folder?
Unfortunately, I am not familiar with this.

It looks to me like this port is NOT something that you port directly into your XP.

Rather, it is something that is "compiled" with the program that you want to then run on XP.

ie, you use this to create a version of Supermium or Thorium that will "do" ECC when ran on XP.

Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
Posted (edited)
18 hours ago, NotHereToPlayGames said:

Chrome/Chromium has used an internal cert store in addition to the OS cert store since v105 and it has been enabled by default since v108.

To the best of my knowledge, I do think that Official Chrome, Official Ungoogled Chromium, Supermium, and Thorium all fetch these as opposed to them being "bundled".

I'll concede to anyone much more in-the-know.

My only intent was to demonstrate that the same EXACT browser in XP will not have the same level of security as it does in 10.

ECC cert shortcomings in XP has been known for a VERY long time.

It is nice to see the backport cited a few posts ago, so that SHORTCOMING is being addressed.

XP cert store cannot "do" ECC.  But as demonstrated, Mypal only performs this because it is not using the XP cert store.

How Supermium is performing this is a NIGHTMARE to figure out, it is simply UNSTABLE and pegs my CPU at 100%, crashes too often, et cetera, for me to have the patience to even ATTEMPT to sort it out.

Correct.
But even in W.10/11 in many malicious websites with (HTTPS) phishing content (this is not often the case for websites with malware content) the certificate is valid and nothing prevents the browser (at a given initial instant of time) from opening the malicious web page without any problem.

P.S.

In fact, I would be curious to see how your browsers (on W.XP) would treat these web pages,but the test should be done quickly after I put in the phishing link.

Edited by Sampei.Nihira
3
Link to comment
Share on other sites
FranceBB

FranceBB

Posted
Posted
22 minutes ago, Sampei.Nihira said:

even in W.10/11 in many malicious websites with (HTTPS) phishing content (this is not often the case for websites with malware content) the certificate is valid and nothing prevents the browser (at a given initial instant of time) from opening the malicious web page without any problem.

Yeah... it still baffles me to see phishing websites getting a perfectly valid certificate from Let's Encrypt. I mean, what's the point of having Certificate Authorities at this point if scammers can just get their ways around it... :( 

2
Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
Posted
14 hours ago, FranceBB said:

Yeah... it still baffles me to see phishing websites getting a perfectly valid certificate from Let's Encrypt. I mean, what's the point of having Certificate Authorities at this point if scammers can just get their ways around it... :( 

1.jpg

If any MSFN members want to test.

Warning:

The link in the image is an active phishing website (at the moment).
So be careful and do not enter any data.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...