Jump to content

Root Certificates and Revoked Certificates for Windows XP


heinoganda

Recommended Posts

29 minutes ago, heinoganda said:

@Tangy

Use Regedit to delete the Cert_Updater entry (under HKEY_LOCAL_MACHINE\SOFTWARE delete Cert_Updater) and then execute Cert_updater 1.6 again. The default values are then re-entered in the registry including the change of the download URL's.

:)

Mission accomplished !

Dankeschön :)

Link to comment
Share on other sites

  • 4 weeks later...

There was an update for an ECC certificate, as this certificate is not supported under Windows XP and there were no other changes, so an info on this update was superfluous.

New:

CN = Microsoft ECC TS Root Certificate Authority 2018
O = Microsoft Corporation
L = Redmond
S = Washington
C = US


:)

Edited by heinoganda
Link to comment
Share on other sites

9 hours ago, Thomas S. said:

New MS files without analysis - who except you can tell what's going on...

Just compare the contents of the updated sst files to the earlier ones. Also, based on the date of the updated sst file, it may not necessarily be assumed that the content has actually changed. Since an ECC certificate under Windows XP is not taken over / processed, was on 10/31/2018 about this update an info superfluous.

:)

Link to comment
Share on other sites

On 11/2/2018 at 11:09 AM, Jeyneko said:

Hmm, I wonder if this means anything :3

What I meant was that I (we?) don't know what's going on.

And we don't know if @heinoganda is online or not / on holiday / alive...

If he has analysed the sst files (and I think he has) it's easy for him to give a short info as "new files but no change for XP" or so.

Of course, it's only his decision...

Technical discussion / my opinion:

For me it doesn't matter, what are the changes in the files, because it is a simple update without any mystery.
You can run each CAupdater (regardless which one) as planned task automatically in a given interval (built in function / with TaskScheduler).

In any case, this is the best way to miss any updates.
If you run the updater you get new files, install them and and the task is done.

There are only small differences in the CAupdaters: the way of download (f.e. any or only newer files), interaction with the users (f.e. confirmation before or after download), writing in registry or not, logging the result...

Link to comment
Share on other sites

  • 4 weeks later...

CertUpd.jpg

Disallowed certificates New:

E = support@senncom.com
CN = 127.0.0.1
OU = R&D
O = Sennheiser Communications A/S
L = industriparken 27, 2750 Ballerup
S = Denmark
C = DK

E = support@senncom.com
CN = SenncomRootCA
OU = R&D
O = Sennheiser Communications A/S
L = industriparken 27, 2750 Ballerup
S = Denmark
C = DK

Update for root certificates:

New:

CN = Microsoft ECC Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft EV ECC Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft EV RSA Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft RSA Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = PostSignum Root QCA 4
O = Ceská pošta, s.p.
2.5.4.97 = NTRCZ-47114983
C = CZ

CN = ZETES TSP ROOT CA 001
SERIALNUMBER = 001
O = ZETES SA (VATBE-0408425626)
C = BE

 

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable rootsupd.exe should follow his instructions for creating their own, or PM at 5eraph for an updated EXE file.
 

:)

Link to comment
Share on other sites

26 minutes ago, heinoganda said:

CertUpd.jpg

Disallowed certificates New:

E = support@senncom.com
CN = 127.0.0.1
OU = R&D
O = Sennheiser Communications A/S
L = industriparken 27, 2750 Ballerup
S = Denmark
C = DK

E = support@senncom.com
CN = SenncomRootCA
OU = R&D
O = Sennheiser Communications A/S
L = industriparken 27, 2750 Ballerup
S = Denmark
C = DK

Update for root certificates:

New:

CN = Microsoft ECC Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft EV ECC Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft EV RSA Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = Microsoft RSA Root Certificate Authority 2017
O = Microsoft Corporation
L = Redmond
S = Washington
C = US

CN = PostSignum Root QCA 4
O = Ceská pošta, s.p.
2.5.4.97 = NTRCZ-47114983
C = CZ

CN = ZETES TSP ROOT CA 001
SERIALNUMBER = 001
O = ZETES SA (VATBE-0408425626)
C = BE

 

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable rootsupd.exe should follow his instructions for creating their own, or PM at 5eraph for an updated EXE file.
 

:)

We are lucky that these latest roots are xp compatible

Link to comment
Share on other sites

We're lucky MS didn't pull the plug early on POSReady 2009 after realising the patches could easily be detected on XP SP3 given how controversial they're still being with forcing Windows 10 down our throats...

Link to comment
Share on other sites

  • 2 months later...
1 hour ago, Sampei.Nihira said:

what do you think about it?

I do not care much about that since I know that certain global players (I'll deliberately not name names explicitly) would like to have more and more control over the Internet (check out the free and independent media (above all, do not be fooled by the TV and big Newspapers brainwash), wake up and you will understand)!

:yes:

Edited by heinoganda
Link to comment
Share on other sites

4 hours ago, Sampei.Nihira said:

From the article:

Quote

Load about:preferences#privacy in the Firefox address bar to open the Privacy & Security settings.

On FF 52 and its forks, the Certificates tab is on Advanced preferences, not Privacy or Security preferences. You would then click "View Certificates," select the one(s) to be distrusted, click "Delete or Distrust," and confirm your choices.

Of course, if you use @roytam1's builds of New Moon or Basilisk, you'll have to repeat this process each time you update (or else convince him to remove the certificates from his builds preemptively).

Quote

A company in control of  a root CA could potentially decrypt traffic that it has access to.

That's not correct. If that were the case, a big CA like DigiCert could decrypt half the Internet! A root CA generally cannot decrypt traffic of the certificates it signs. Each certificate contains only the public key, not the private key needed for decryption.

The real concern is that a root CA could sign certificates of sites that haven't kept their private key secret (due to carelessness, theft, or coercion from the UAE), thus causing Mozilla browsers to trust those sites to be secure, when in fact they are not.

I suppose a rogue CA could be an agent of such coercion, but I'd think whistle-blowers working for the certificate owners would soon expose such a scheme.

From the EFF article:

Quote

Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS.

That's true as far as it goes, but issuing a fraudulent certificate is only part of what's required. It would also be necessary to redirect, say, google.com to a phony website using the fraudulent certificate. That might be doable if, say, your ISP was also compromised, but you're starting to involve a lot of actors to pull off such a scheme. I could see that in China, the UAE, or Saudi Arabia, where all the ISPs are pretty much inherently compromised in order to do business in those countries at all, but it would be a lot harder to pull off in Europe or America.

Edited by Mathwiz
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...