ProxHTTPSProxy and HTTPSProxy in Windows XP for future use

[beansmuggler]

It was WiseVector StopX. As you said, it was apparently detecting the AutoHotkey parts of the program, so I allowed it through.

[AstroSkipper]

22 minutes ago, beansmuggler said:

It was WiseVector StopX. As you said, it was apparently detecting the AutoHotkey parts of the program, so I allowed it through.

Very good! It's all fine with my program package. We had here a beta test, and all my self-created executables are definitely clean. Any alarm notfication from security programs is a false positive. 

Edited September 2, 2022 by AstroSkipper

[mina7601]

1 hour ago, AstroSkipper said:

We had here a beta test, and all my self-created executables are definitely clean. Any alarm notfication from security programs is a false positive. 

Let me rephrase this a bit: In the last beta test, there were false positives in your program package, even though they were clean as you said, and you worked hard to reduce them by a lot. But, yes, still, as you said, any notification from antiviruses are false positives, and should be ignored.

[AstroSkipper]

15 hours ago, mina7601 said:

Let me rephrase this a bit: In the last beta test, there were false positives in your program package, even though they were clean as you said, and you worked hard to reduce them by a lot. But, yes, still, as you said, any notification from antiviruses are false positives, and should be ignored.

Thank you @mina7601! But basically, it is not necessary to rephrase my statements, and frankly, I don't like that at all. My statements are meant as they were formulated by me. If you want to comment on them, I would like to read your own opinion and not what I have already said or maybe, didn't want to say, either. Provide your own experiences and thoughts! That would be much more interesting and valuable! IMHO, self-created content that contains personal and unique statements without constantly repeating those of others should be the goal of a poster, actually. The human mind, no matter what age, is capable of creating and formulating its own. Finding the right and individual path in life and also here in this forum always means forming your own opinion, standing by it and expressing it to others. I hope this helps you a bit! 

Cheers, AstroSkipper 

Edited September 3, 2022 by AstroSkipper

[mina7601]

11 hours ago, AstroSkipper said:

Thank you @mina7601! But basically, it is not necessary to rephrase my statements, and frankly, I don't like that at all. My statements are meant as they were formulated by me. If you want to comment on them, I would like to read your own opinion and not what I have already said or maybe, didn't want to say, either. Provide your own experiences and thoughts! That would be much more interesting and valuable! IMHO, self-created content that contains personal and unique statements without constantly repeating those of others should be the goal of a poster, actually. The human mind, no matter what age, is capable of creating and formulating its own. Finding the right and individual path in life and also here in this forum always means forming your own opinion, standing by it and expressing it to others. I hope this helps you a bit! 

Cheers, AstroSkipper 

Wait, are you angry because my rephrasing looked like I was trying to copy your statement? If so, I'm sorry for that.

Also yes, this helped me a bit.

[AstroSkipper]

10 hours ago, mina7601 said:

Wait, are you angry because my rephrasing looked like I was trying to copy your statement? If so, I'm sorry for that.

Also yes, this helped me a bit.

No, I am not angry at all. But, as you know, I mean what I write, i.e., I would like to read comments with your personal experiences and ideas. I don't like rephrasing, repeating and comments without own content. To show you what I mean I rewrote your statement. Here is your comment in a more personal way of wording providing own opinions and experiences:

Quote

In the beta test of ProxHTTPSProxy's PopMenu TLS 1.3 3V3, there were some alerts from my AV scanner, too. I checked the suspicious files at VirusTotal, and they seemed to be clean as expected. After finishing the beta test, @AstroSkipper did a lot to reduce these alarm notifications by changing the code of his programs and pointed out that the previous alerts and the current rest of them can be considered as false positives. IMHO, they can be definitely ignored, and the complete program package can be whitelisted without hesitation.

It's just an example. 

Edited September 4, 2022 by AstroSkipper
correction

[AstroSkipper]

Update notification!

Both versions of my Root Certificate and Revoked Certificate Updater have been updated and are now of 08/23/2022. You can find them in section Downloads -> Latest Downloads -> Downloads related to Root Certificate Updates in the first post of this thread.

Cheers, AstroSkipper

[MilkChan]

@AstroSkipper 

Hi, I got your program work, I had a good experience, and in getting Windows Update too.
and using the newer TLS I tried to read your manual.
Thanks for your good job too.

And I'm sorry I didn't come to tell you.
I've been busy with the Windows Media Player Dedicated Windows Media Player Addon, Server 2003 for All Languages, and the

RDP 7.0 Addon. (ENU ONLY)

And now I'm trying to find a tester with my addon
All languages are ready to be tested.

Google may have mistranslated

Edited September 6, 2022 by Taiga-chan

[AstroSkipper]

9 hours ago, Taiga-chan said:

@AstroSkipper 

Hi, I got your program work, I had a good experience, and in getting Windows Update too.
and using the newer TLS I tried to read your manual.

Hello @Taiga-chan! Glad to hear you got my program package working!  Have fun with it! 

9 hours ago, Taiga-chan said:

Thanks for your good job too.

You're welcome! And, many thanks! 

Greetings from Germany, AstroSkipper 

[AstroSkipper]

This thread is about different proxies to establish secure connections to servers or, more generally, to the internet. You often read about TLS and cipher suites here. Therefore, I have written a short article on these "termini technici" for those who do not know exactly what is meant by them.

The TLS protocols and their cipher suites

If you research the term TLS on the internet, you will get a lot of information, sometimes very simply presented, sometimes very technical, more for IT experts.  With this small article, which can be seen more as a summary, I try to provide a little more transparency in this stuff.

Transport Layer Security, abbreviated TLS, is a protocol for the authentication and encryption of Internet connections. For this purpose, TLS is inserted as its own layer between TCP and the protocols of the application layer. Here is a linked graphic to make it more clear:



The individual tasks include authentication, certification, key exchange, integrity assurance and encryption. The main tasks are to guarantee the authenticity of the contacted remote stations, in most cases a server, by means of a certificate and to encrypt the connection between the remote stations. Here is a second linked graphic to demonstrate the actions and reactions in the communication between a client and a server:



The used protocol defines the basic communication for the connection and is as crucial for a secure connection as the encryption protocol itself. Due to a series of vulnerabilities, the SSL2 and SSL3 protocols must be considered a security vulnerability and should be avoided at all costs. The successor to SSL3, TLS 1.0 should also be avoided, as the protocol offers a method to downgrade an established TLS 1.0 connection to SSL3. Thus, the connection is again vulnerable to the vulnerabilities that affect SSL3. Unfortunately, its successor TLS 1.1 is also no longer up to date and should be rather avoided nowadays. For a long time, the TLS 1.2 protocol was considered secure and therefore recommended. It offers a number of improvements that should ensure the security of connections again. In general, each new SSL or TLS version has brought additional features and options, making configuration a little more confusing, implementation more error-prone and handling more tedious. Overall, the use of TLS has become more insecure. With TLS 1.3, this should change, at best. Or, this was and is the actual goal, at least. For this reason, every single function of TLS has been tested for its security benefits and risks. In the process of development and in regard to the present knowledge, some parts were removed that no longer offer security and some of which are now also considered insecure. At the same time, security was improved with new procedures. Furthermore, measures for performance optimisation and preventive hardening measures for future attacks were taken into account. TLS 1.3 breaks backwards compatibility for the first time, which unfortunately causes some problems in practice. Connections with TLS 1.3 can be interrupted either because the connection is not accepted en route or due to a defective web server. Anyway, the protocols TLS 1.2 and, above all, TLS 1.3 are recommended as secure protocols nowadays. Here is a list of typical protocols and their cipher suites used by the TLS 1.3 proxy of my current program package ProxHTTPSProxy's PopMenu TLS 1.3 3V3 as an example. It's a screenshot taken from the website https://browserleaks.com/ssl:

In the screenshot above, you can see many so called cipher suites belonging to specific TLS protocols. A cipher suite is a standardised collection of cryptographic procedures (algorithms) for encryption. In the Transport Layer Security (TLS) protocol, the cipher suite specifies which algorithms are to be used to establish a secure data connection. A cipher suite is generally displayed as a long string of seemingly random information, but each segment of that string contains essential information. Generally, this data string is made up of several key components:

1. The used protocol, in most cases TLS.
2. The key exchange algorithm dictates the manner by which symmetric keys will be exchanged such as RSA, DH, DHE, ECDH, ECDHE.
3. The authentication algorithm dictates how server authentication and (if needed) client authentication will be carried out such as RSA, DSA, ECDSA.
4. The bulk encryption algorithm dictates which symmetric key algorithm will be used to encrypt the actual data such as AES, 3DES, CAMELLIA.
5. The Message Authentication Code (MAC) algorithm dictates the method the connection will use to carry out data integrity checks such as SHA, SHA256, MD5.

In some cases, there is an Elliptic Curve Cryptography (ECC) which is an encryption technique that provides public-key encryption similar to RSA. While the security strength of RSA is based on very large prime numbers, ECC uses the mathematical theory of elliptic curves and achieves the same security level with much smaller keys.

Here are three linked graphics to illustrate this with examples:








This article will also be part of my main article in the first post of this thread as soon as possible so that everyone is well informed about the technical background and the purpose of TLS and their cipher suites which are important for our proxies.

Greetings from Germany, AstroSkipper. 

Edited September 13, 2022 by AstroSkipper
Update of content

[AstroSkipper]

Update notification! 

My article "ProxHTTPSProxy or HTTPSProxy in Windows XP for future use" in the first post of this thread has been extended by a new section about TLS and their cipher suites. It will be updated and enhanced continously by everything about my program packages in the next weeks. A lot will be rewritten due to the existence of the brand new TLS 1.3 proxy. A further, new section will be added, too. So, stay tuned! If you are interested in, then have a look from time to time here. 

Cheers, AstroSkipper 

Edited September 9, 2022 by AstroSkipper
Update of content

[mina7601]

2 hours ago, AstroSkipper said:

Update notification! 

My article "ProxHTTPSProxy or HTTPSProxy in Windows XP for future use" in the first post of this thread has been extended by a new section about TLS and their cipher suites. It will be updated and enhanced continously by everything about my program packages in the next weeks. A lot will be rewritten due to the existence of the brand new TLS 1.3 proxy. A further, new section will be added, too. So, stay tuned! If you are interested in, then have a look from time to time here. 

Cheers, AstroSkipper 

Interesting, can't wait for it!

[AstroSkipper]

Just a reminder! Any changes to an installation of ProxHTTPSProxy or HTTPSProxy, especially the installation of a new CA certificate, or severe crashes of the system while one of the proxies was running in the background, always requires a reset of all dummy certificates in the Certs subfolder. The word "reset" at this point means deleting all certificates manually that have been created in the Certs folder. The next time the proxy is started correctly, all necessary certificates will be created again when the corresponding websites are accessed. Renaming or saving the Certs folder is completely unnecessary. 

Cheers, AstroSkipper 

Edited September 27, 2022 by AstroSkipper

[AstroSkipper]

@SC7601!

45 minutes ago, SC7601 said:

I simply didn't have a use for it Currently I use the browsers which works without needing the functionality of TLS 1.3 proxy. I have a second WinXP install though, without TLS 1.2 updates. I wanted to try it in that install, but I had to download it from this installation because I didn't want to mess with configuring some browser! (laziness shows up :D) And, I don't want to boot it up anymore as the reason of installation was I couldn't boot up this one after I've installed Linux (I just had to edit boot.ini, but I found it out later).

Using ProxHTTPSProxy with browsers that already support TLS 1.2 or 1.3 is not the purpose of it. Generally, these TLS proxies are needed to access Windows Update or Microsoft Update, for example. Or, for updating programs that require the old Internet Explorer. Or, for email programs that cannot set up such connections themselves, e.g. eM Client or Eudora, and so on. But, all this has nothing to do with the fact that you actually just wanted to test my software package on a time-period correct system. Didn't it?  BTW, you can test it with browsers already supporting TLS 1.2 and 1.3, too. Anyway, it was your suggestion! 

Cheers, AstroSkipper 
 

Edited September 26, 2022 by AstroSkipper

[AstroSkipper]

Certificates - CA and Root Certificates

Although Windows XP was abandoned and updates of root certificates were not provided anymore by Microsoft for this OS, we still found ways to update them. And, if we want to install one of our TLS proxies, we have to install a CA certificate to get them working. In both cases, certificates are needed, and this short article is intended to shed some light on this certificate jungle with regards to our TLS proxies.

The CA certficate of ProxHTTPSProxy

A certificate authority (CA) is a trusted entity that issues digital certificates. These are files that cryptographically link an entity to a public key. Certificate authorities are an important part of the Internet's Public Key Infrastructure (PKI) because they issue the Secure Sockets Layer (SSL) certificates that browsers use to authenticate content sent from web servers. All popular web browsers use web servers' SSL certificates to keep content delivered online secure. They all need to trust certificate authorities to issue certificates reliably. SSL certificates are used in conjunction with the Transport Layer Security (TLS) protocol to encrypt and authenticate data streams for the HTTPS protocol, and are therefore sometimes referred to as SSL/TLS certificates or simply TLS certificates. The first time ProxHTTPSProxy is started, it creates the keys for a certificate authority in its program directory if there is none. This file CA.crt is used for on-the-fly generation of dummy certificates for each visited website which are stored in the subfolder Certs. And, there is a second file called cacert.pem located in ProxHTTPSProxy's program directory. This file cacert.pem contains the currently valid root certificates (will be considered in more detail below) used by the proxy to verify the server connections. Since your browser won’t trust the ProxHTTPSProxy's CA certificate out of the box, you will either need to click through a TLS certificate warning on every domain, or install the CA certificate once so that it is trusted. It has to be installed in the Trusted Root Certification Authority of Windows XP and in some cases additionally in the Certificate Manager of a browser as in the cases of New Moon, Pale Moon, Firefox, and others. The Internet Explorer doesn't possess an own certificates store and uses the Trusted Root Certification Authority of Windows XP. Typically, digital certificates contain data about the entity that issued the certificate and cryptographic data to verify the identity of the entity, including the entity's public key and expiration date for the certificate, as well as the entity's name, contact information, and other information associated with the certified entity. Web servers transmit this information when a browser establishes a secure connection over HTTPS. In doing so, they send to it the certificate and the browser authenticates it using its own root certificate store. The following graphic illustrates the structure of a Certificate Authority as for example GlobalSign:



SSL/TLS certificates are based on PKI as mentioned above, and there are a few key parts that need to be in place for the SSL certificate to work:

• A digital certificate (for example, an SSL/TLS certificate) that proves the website’s identity.
• A certificate authority that verifies the website and issues the digital certificate.
• A digital signature that proves the SSL certificate was issued by the trusted certificate authority.
• A public key that your browser uses to encrypt data sent to the website.
• A private key that the website uses to decrypt the data sent to it.

Here is another graphic to illustrate the role that a certificate authority (CA) plays in the Public Key Infrastructure (PKI):



When installing such CA certificates in Windows XP manually, then there is something else to note. It can be of crucial importance whether one installs a root certificate under the account of the Current User or Local Computer. In the first post of my thread, you can find more information on that. Furthermore, exiting ProxHTTPSProxy completely, deleting the old CA.cert file in ProxHTTPSProxy's program directory, and restarting ProxHTTPSProxy will result in the generation of a new CA certificate CA.crt that will be valid for another ten years. In addition, the certificate bundle cacert.pem should be updated, at best regularly. You can do that with the tool cacert Updater Fixed which can be found in the download section under Downloads related to cacert.pem Certificate Update in the first post of this thread. This tool is also included in my program package ProxHTTPSProxy's PopMenu. And, that is the moment to note something very important. Any change to a ProxHTTPSProxy installation regarding the CA certificate or a severe system crash while one of the proxies is running in the background always requires a reset of all dummy certificates in the Certs subfolder. The word "reset" at this point means deleting all certificates that have been created in the Certs folder, manually by the user. The next time the proxy is started correctly, all necessary certificates will be created again when the corresponding websites are accessed. Here are a few screenshots of ProxHTTPSProxy's CA certificate (German edition of Windows XP, sorry!):





The Root Certificates of Windows XP

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based PKI. Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string (RFC 5280). For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates. A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key which is used to "sign" other certificates. All certificates signed by the root certificate, with the "CA" field set to true, inherit the trustworthiness of the root certificate. A signature by a root certificate is somewhat analogous to "notarizing" identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates.
The following graphic illustrates the role of a root certificate in the chain of trust:



The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. Root certificates are distributed in Windows XP by Microsoft and located in special certificate stores. These certificate stores may be viewed through the Certificates snap-in Certmgr.msc in the Microsoft Management Console (MMC). You can open the Certificates console focused on the Current User on a Windows XP computer by opening Certmgr.msc in the Run dialog box. Here is a screenshot of what you see running this command (German edition of Windows XP, sorry!):



The root certificates of Windows XP can be updated by @heinoganda's Certificate Updater or by my self-created Root Certificate and Revoked Certificate Updaters, in both cases to the most recent ones provided by Microsoft. These updaters can be found in the download section under Downloads related to Root Certificate Updates in the first post of this thread. There is no automatism for this updating. It must be done manually by the user and, if possible, regularly. @heinoganda's Certificate Updater is also included in my program package ProxHTTPSProxy's PopMenu.

Greetings from Germany, AstroSkipper

Edited October 10, 2022 by AstroSkipper
Update of content