360 Extreme Explorer Modified Version

[NotHereToPlayGames]

Does SP4 and post-SP4 have anything specifically labeled as related to "certificate updates"?

Can you pull those out or unstall just that portion of SP4 and post-SP4?

 

Which makes you feel most "secure"  --  a green padlock in your web browser or having POS updates?

 

I work with roughly 120 robots at work that all run XP Embedded.

They all have POS updates because Microsoft Updates rolls/rolled those out to XP Embedded without any registry hacks that would have flagged not only local IT, but the IT departments on three different CONTINENTS and would have resulted in a Termination Notice.

But NONE of those robots have INTERNET access.  Intranet, yes...  but no internet access!

[UCyborg]

No issues related to CA root certificates with EE all the way from XP to 10 on my end. All sites that @ArcticFoxie tested on his Vista VM work without errors (browser indicates secure connection) on my Vista installation and other OS, along with Ecosia and Discord.

EE checks both system certificate store and CA certificates in its own store and if the match is found, shows green padlock or green padlock with grey exclamation mark, the latter only indicates Chinese don't trust it (CA is not on their list).

When no match, this is the end on XP, site is considered untrusted. Properly updated Vista and above, if this function isn't explicitly disabled by group policy setting, are at this point able to check Windows Update if the entity that issued the site's certificate is on Microsoft's list of trusted CA and if it is, it can pull its CA certificate and install it in system certificate store in Trusted Root Certification Authorities folder, so in this case the green padlock shows, but otherwise, the site is considered untrusted.

https://browserleaks.com/ssl explicity tests if the browser accepts resources over unencrypted connection, so errors are expected with browsers that don't block them in that case.

Not sure about the error with insecure resources on MSFN, I guess it's related to either ads from Google domains or the stuff from Cloudflare. Don't know how to check this situation more thoroughly since it doesn't happen here.

If one's system can't check/pull certificates from Windows Update, quickest way is running the cert updater from here. This will install all of them from MS server. To keep the certificate store lean, probably the only way is checking the certificate details in the browser and looking up the CA certificate name on Certification Path tab, hunting the certificate on the internet and installing it manually.

Edited August 7, 2021 by UCyborg

[beansmuggler]

2 hours ago, ArcticFoxie said:

Does SP4 and post-SP4 have anything specifically labeled as related to "certificate updates"?

Can you pull those out or unstall just that portion of SP4 and post-SP4?

 

Which makes you feel most "secure"  --  a green padlock in your web browser or having POS updates?

I'm not sure, though really I've done enough stuff to this machine with updates and certificates that I might just try starting afresh and seeing if the problem is fixed there. Would the post-SP3 you provided be necessary if I installed all updates through a service like the one described here?

Also, I my concern isn't so much having a green padlock as it is having a slightly more reliable certificate assessment and, more importantly, having secure encryption algorithms that 360 doesn't seem to be employing on some sites (for this example, Discord and Ecosia).

[NotHereToPlayGames]

2 hours ago, beansmuggler said:

Would the post-SP3 you provided be necessary if I installed all updates through a service like the one described here?

Nope.  I prefer to "slipstream" all of my updates.  That way I am fully updated after a 30min install as opposed to spending 30min to install than 4hrs to update.

[Dixel]

On 8/5/2021 at 1:37 PM, ArcticFoxie said:

I personally have never in my entire life installed any "certificates"

Oh man , even though I put a like on your post again , It's just sometimes hard to follow what you're trying to tell . If the above from your comment is true , how come you say you don't see any cert. errors with your XP then ? As for me , I'm seeing this "unsecure warning" right now and sometimes (better say from time to time) only on this website and only when logged in ! @UCyborg , I read you didn't see it , was it when you not looged in ? As for the other cert. errors , I think I already wrote here that I have none (except for this) with 360EE , since I installed the cert. pack by @legacyfan.

[Dixel]

9 hours ago, UCyborg said:

If one's system can't check/pull certificates from Windows Update, quickest way is running the cert updater from here.

Didn't work for me on Vista , even though I have no updates . It pulled some (but not all certificates) , for example twitter was still giving me errors . The only solution that helped, read my comment above.

[Dixel]

17 hours ago, ArcticFoxie said:

360Chrome was developed, at its core, to backport browser functionality specifically to XP.

Says who ? Link , please ! I read it was something like "also works on XP" . 

[Dixel]

17 hours ago, ArcticFoxie said:

Please don't misread, I'm asking because I am curious.

Is it because XP has a larger following than Vista and nobody out there is "backporting" specificly for the Vista Audience?

Forgive the curiosity, I'm just trying to place myself in your shoes - my shoes are XP so I understand the path that I walk in those shoes.

Well , for me it was an obvious choice when the problems with online shopping started . As you may know, Vista was cut off from browsing along with XP in 2016 . So I started looking for a browser long before the famous extended kernel project by @win32 started and found UC browser and 360 (a bit later) , of course I had to spend a big deal of time writing my own launcher and removing the telemetry . I think I shall continue to use 360EE in the future . Why ? The extended kernel doesn't help with extensions, like at all  . For example , you can't install adblock on anything higher than Chrome 60 , terribly outdated. I did manage to pull a trick and forced the adblock with version 81 , but it is older than 360EE which is based on 86 . Do I have to explain any further ? So using the ex-kernel makes no sense for me , at least until the problem with extensions is gone . And with 360 I can use whatever I like/want .

[NotHereToPlayGames]

55 minutes ago, Dixel said:

. . . how come you say you don't see any cert. errors with your XP then ?

Maybe not in "that" post, but I thought that I did previously discuss that I have never manually installed any certificate that didn't come directly from Microsoft by way of a "KB" hotfix.

And since I don't use the POS hack, then that also means I don't have any certificate updates that were never pushed via Windows Update to "real" XP.

I'm not familiar with @legacyfan's (?) "cert pack" but it's not my practice to install stuff like that.

There might come a day where I will "have" to have something like that, but that day hasn't arrived yet.

[UCyborg]

2 hours ago, Dixel said:

As for me , I'm seeing this "unsecure warning" right now and sometimes (better say from time to time) only on this website and only when logged in ! @UCyborg , I read you didn't see it , was it when you not looged in ?

I was logged in. No content blocker of any kind was installed neither. I thought at first being logged in gives me local Slovenian ads while not being logged in gives more generic English ads, but it's actually random.

Edited August 8, 2021 by UCyborg

[beansmuggler]

Alright, I installed purely up to SP3, then installed Firefox and 360chrome v13. Ecosia , MSFN, and Discord were trusted in Firefox, but not 360 v13. Waiting on updates to download (decided to take a non-SP4 method that should avoid POS updates)

[Dixel]

On 8/8/2021 at 8:25 AM, ArcticFoxie said:

I'm not familiar with @legacyfan's (?) "cert pack" but it's not my practice to install stuff like that.

Well , you're absolutely right ! The first rule of the internet : trust no one ..... including Microsoft , lol. So how do you update your certs then ? By manually unpacking cab files and installing them , right ? I gather you don't trust that 3rd party tool suggested by @UCyborg too ? Care to elaborate ? Thanks.

P.S. 

Legacyfan's certs are legit , 100% legit , I checked . He just wrote a bat file to install them all at once as admin. I would show them to you , but the admins might be against it , since they already deleted his pack earlier.

[Dixel]

It seems I've found what was the culprit !!! At least for me , it's the links that some of the members inlcude in their signature . 360 browser is indeed good, it marks additional resources as insecure and the browser is absolutely right , because I don't have any cert. for that resources. For example , it shows this warning on jaclaz's posts , I've opened some of his recent comments and I've got this warning right away ! Why the browser marks these resources as insecure , it's simple : no certs. With all due respect to this wonderful member . 

jaclaz.altervista.org

http://jaclaz.altervista.org/Projects/freedom_of_skin.htm

P.S.

@beansmuggler , it makes no sense to compare the behaviour of Firefrox and any other chrome browser because firefox has it's own cert. system ! 

[NotHereToPlayGames]

5 hours ago, Dixel said:

So how do you update your certs then ?

Well, since you asked  --  I DON'T !

I install my slipstreamed-through-2018 XP and I'm on my merry way.

If those slipstreamed hotfixes update certs, so be it, doesn't concern me.

I have my web browser settings set to NOT "check for revocation" - if the OS does external to the browser, so be it, doesn't concern me.

"Not for everyone", but I personally don't give a rat's a$s if my web browser shows a green padlock or not!

And to all that "disagree", do not "lecture" me on this course of action - this is my computer, not yours, and I have my own methods of knowing what web site is "secure" or not.

As I have pointed out before, and linked articles to, even fake and identity-stealing web sites know how to get that "green padlock" to show up on their "secure" web site!

It honeslty ASTOUNDS ME on the number of people that are "chasing their tail" over whether a green padlock is being shown in this browser versus that browser, this OS versus that OS.

But since it is pretty much the "only" topic (I'm exaggerating - "slightly") of late here at MSFN and that I enjoy the people and content here at MSFN, here I am caught up in all of this hoopla.

If I create the atmosphere where I "habitually" look for a green padlock, then I've created a FALSE sense of "security" that is NO LONGER savvy enough to detect fake and identity-stealing web sites that know how to get that "green padlock"!

Edited August 9, 2021 by ArcticFoxie

[Dixel]

3 hours ago, ArcticFoxie said:

I DON'T !

That's what puzzles me . How come you don't have cert. errors then ? So your system is super clever and able to update them on it's own ? You're a unique case then ! People are struggling to make their system update them automatically (that's why ucyborg suggested that tool). My Vista is not modified , I remember you asked earlier , but it is not able to update the certs on it's own .