mixit Posted October 5, 2016 Posted October 5, 2016 On 2016/10/3 at 9:11 AM, blackwingcat said: It seems no effection on XP It should be blocked "WoSign 1999" cert since 2016/9/20 Thanks for finding this out, I was wondering what the heck had actually changed as everything looked the same. Apparently MS expects us to manually move this certificate to Untrusted?...
5eraph Posted October 6, 2016 Posted October 6, 2016 A registry compare shows that many of the registry entries were changed (342 relevant entries in the keys below), but none were added or removed. Perhaps MS hasn't addressed WoSign yet. If not, maybe it will later. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 1
5eraph Posted November 17, 2016 Posted November 17, 2016 (edited) authroots.sst, delroots.sst and updroots.sst were updated by Microsoft on 2016/11/12 and released today in November's scheduled release. Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable RootsUpd.exe should follow his instructions for creating their own, or PM me for an updated EXE file. Edited November 17, 2016 by 5eraph 4
heinoganda Posted November 17, 2016 Author Posted November 17, 2016 (edited) Small info, this morning, the info of 5eraph was just 7 hours old, the European content servers of MS still the old certificates were present. It lasted about 2-3 hours until the current certificates were also available here. Therefore, no one should be surprised if the current certificate updates are not available at the same time, especially if the info is very up-to-date! (If the Cert_Updater only updates old root certificates, simply run them again at a later time.) @5eraph Thank's for the info! Edited November 17, 2016 by heinoganda
glnz Posted February 2, 2017 Posted February 2, 2017 (edited) Heinoganda - I run your cert_updater from time to time on my XP. The latest cert updates are still November 2016. But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago. For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up. See attachment here. Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business. Those are not promo emails; I frequently respond to their emails, a few times per month. (FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.) Are we sure the Cert_updater is getting good lists of current certificates? I'm sure it's working, but is it reaching for the right source data? Thanks. Edited February 2, 2017 by glnz
mixit Posted February 2, 2017 Posted February 2, 2017 @glnz If you click View Certificate there, what is the exact error the certificate displays? Based on something I encountered with some other software recently, I may have an idea about why this is happening to you, but since I haven't dealt with this problem in IE/OE context, it's better to have more information first. If it is what I'm guessing, cert updates are not the problem.
Dclem Posted February 2, 2017 Posted February 2, 2017 I too have experienced this exact certificate security alert. It always appears when I receive e mails with photos of products from a music dealer I buy from in Germany. Each photo on the e mail, when loading, displays this alert. If I click yes, the photo is NOT displayed in the e mail and another alert appears for the next photo.....this continues until all the photos are presented. The e mail is in HTML format and I am using Outlook Express version 6.00.2900
heinoganda Posted February 2, 2017 Author Posted February 2, 2017 @glnz There are certificates that can manage Windows XP, but older Internet browsers or e-mail clients no longer work with more modern encryption methods. Google Chrome also relied on the Windows XP certificate management, can use more modern encryption methods to access these certificates and work. There are exceptions like ECC certificates, which can not process the certificate management of Windows XP. Since some users have thought about and over an HTTPS proxy, which has its own CA certificate management, all secure connections and accepts again for older programs in an intelligible encryption passes. Otherwise, with your information I can concretely do not reconstruct this problem. Under Properties in the source text of the incorrectly displayed e-mail, I need the links from the external image files (previously, since nothing private is there, just open link in Firefox or Google Chrome), which you give me via PM. Use also for a fast text e-mail outlook express, but generally no access to external links with HTML e-mails (very high security risk!).
Mathwiz Posted February 3, 2017 Posted February 3, 2017 11 hours ago, glnz said: Heinoganda - I run your cert_updater from time to time on my XP. The latest cert updates are still November 2016. But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago. For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up. See attachment here. Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business. Those are not promo emails; I frequently respond to their emails, a few times per month. (FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.) Are we sure the Cert_updater is getting good lists of current certificates? I'm sure it's working, but is it reaching for the right source data? Thanks. 9 hours ago, Dclem said: I too have experienced this exact certificate security alert. It always appears when I receive e mails with photos of products from a music dealer I buy from in Germany. Each photo on the e mail, when loading, displays this alert. If I click yes, the photo is NOT displayed in the e mail and another alert appears for the next photo.....this continues until all the photos are presented. The e mail is in HTML format and I am using Outlook Express version 6.00.2900 That error dialog does not look like a root certificate issue to me. If it were, I'd expect the warning flag on the first line, not the third. To me it looks like a problem with the server configuration. That said, it could be that XP isn't handling new certificate extensions, so it thinks the certificate is invalid for the site even though it actually isn't. Have you downloaded the latest IE 6 updates? (You may need the POSReady '09 hack for this.) BTW, if at some point you want to upgrade from OE 6, I'd recommend Windows Live Mail. It's much more like OE 6 than the Outlook from MS Office, and it will import all your OE 6 mail and contacts. The 2009 version runs on XP, but you'll need the offline installer.
mixit Posted February 3, 2017 Posted February 3, 2017 (edited) @glnz On second thought, instead of us spending time with Q&A, you can just try this fix and see if it works; it's not a complicated procedure. Open up regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root. If it already has a ProtectedRoots subkey, open it, otherwise create it. Then, in that HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots key, create a new DWORD value named Flags and set its value to 20 (Hexadecimal). I think this worked for my problem even without rebooting, but if it doesn't for you, reboot and try it then. This sets the CERT_PROT_ROOT_DISABLE_NOT_DEFINED_NAME_CONSTRAINT_FLAG and gets around some new certs using name constraints in a way that works out of the box with the likes of Win7, but not with XP. Now, be aware that I'm not expert enough in this field to be able to tell you with 100% confidence that this change won't potentially open up a way for some fraudulent certs to slip through, but it seems OK to do based on what I've googled. YMMV and all that. I had to make this change to get my renewed smart card certificates to work. If this doesn't work in your case, the problem may well be about the ECC issue @heinoganda mentioned. I just figured it might be the name contraint issue based on OE telling you that "the name on the security certificate is invalid". Might want to remove the newly created registry key if it doesn't help you. Edited February 3, 2017 by mixit typos 2
Dclem Posted February 3, 2017 Posted February 3, 2017 14 hours ago, mixit said: @glnz On second thought, instead of us spending time with Q&A, you can just try this fix and see if it works; it's not a complicated procedure. Open up regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root. If it already has a ProtectedRoots subkey, open it, otherwise create it. Then, in that HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots key, create a new DWORD value named Flags and set its value to 20 (Hexadecimal). I think this worked for my problem even without rebooting, but if it doesn't for you, reboot and try it then. This sets the CERT_PROT_ROOT_DISABLE_NOT_DEFINED_NAME_CONSTRAINT_FLAG and gets around some new certs using name constraints in a way that works out of the box with the likes of Win7, but not with XP. Now, be aware that I'm not expert enough in this field to be able to tell you with 100% confidence that this change won't potentially open up a way for some fraudulent certs to slip through, but it seems OK to do based on what I've googled. YMMV and all that. I had to make this change to get my renewed smart card certificates to work. If this doesn't work in your case, the problem may well be about the ECC issue @heinoganda mentioned. I just figured it might be the name contraint issue based on OE telling you that "the name on the security certificate is invalid". Might want to remove the newly created registry key if it doesn't help you. Thank you for this information, I'll give it a try. Sounds reasonable to me. If it doesn't work, I can always restore the registry with a backup.
heinoganda Posted February 3, 2017 Author Posted February 3, 2017 Well, I would be interested what AV is installed and secondly I need links from the images (if necessary by PM) of the affected e-mails so I can test!
sdfox7 Posted February 3, 2017 Posted February 3, 2017 On 2/2/2017 at 8:53 AM, glnz said: Heinoganda - I run your cert_updater from time to time on my XP. The latest cert updates are still November 2016. But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago. For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up. See attachment here. Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business. Those are not promo emails; I frequently respond to their emails, a few times per month. (FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.) Are we sure the Cert_updater is getting good lists of current certificates? I'm sure it's working, but is it reaching for the right source data? Thanks. Have you tried going into the Internet Options and disabling any of the certificate selections? (Note: the below image on my system is set to system defaults, you may have to try selecting/deselecting on your own to see what works)
Mathwiz Posted February 3, 2017 Posted February 3, 2017 While you're there, scroll down a little further and make sure you have TLS 1.0 enabled (and preferably, SSL 2.0 and 3.0 disabled).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now