Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Fraudulent digital certificates

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
gjjean Fraudulent digital certificates
Contributor 23rd Mar, 2011 21:11
Ranking: 192
Posts: 197
User Since: 9th Apr, 2010
System Score: 100%
Location: LB
Hi All

Microsoft warns: Fraudulent digital certificates issued for high-value websites.

This advisory from MS was issued today and this affects all web browsers with https.

Read this on the following site:

http://www.microsoft.com/technet/security/advisory...

Stay secure


--
HP pavilion DV6
Win 7 64bit - SP1
IE10 + MSSE4.3.215

Anthony Wells RE: Fraudulent digital certificates
Expert Contributor 23rd Mar, 2011 23:49
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello John ,

I downloaded and installed KB2524375 from your link in order to be sure/maximise my protection ; remember to select your language !!

On then checking my Firefox 4.0 , I see that the required OCSP (detailed in your link) is/was enabled - either my original/default settings or provoked by the M$ KB .

My Dev channel version 11.x Chrome browser shows (after a bit of digging) the fraudulent website certificates actually listed as "Fraudulent" .

Thanks for the heads up ; I feel better knowing .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Fraudulent digital certificates
Handling Contributor 24th Mar, 2011 00:15
Score: 11785
Posts: 9,035
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This hotfix is available via Windows update.

It places all the fraudulent certificates in the untrusted zone in the Windows Certificate vault.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
Anthony Wells RE: Fraudulent digital certificates
Expert Contributor 24th Mar, 2011 00:44
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Maurice ,

As the KB hotfix did not show up in my full scan at 16.00 today (actually checking for Firefox 4.0 which had finally turned up) and there was no M$ update icon in my tray this evening , I followed the paper trail left by John and decided to go through with a manual install which also needed a "Genuine Windows Validation" exercise and supplied key copy and paste !!

The hotfix now shows in "Add/Remove" but nothing at M$updates ; although I did pick up the Root certificate KB 931123 (optional )- mentioned by ddm on another thread - whilst I was there .

Does the "Windows Vault" interact directly with the browser and/or it's settings or is it a separate check system ??

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Fraudulent digital certificates
Handling Contributor 24th Mar, 2011 00:59
Score: 11785
Posts: 9,035
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Hello Anthony,
I agree - the warning was not showing if U use the manual Windows Update method. I got the information via an RSS feed from Microsoft that it was available on the download site hence my short post having completed the exercise.

U can always check your certificates for your OS here:

Open IE>Tools>Internet Options>Content>Certificates - just click the tabs & it reveals all.

Tinkering with them is not for the faint hearted!

It shows as an update in Windows 7 - not surprising because that is the location used to uninstall if required.

Good idea to keep the Root Certificates up to date. Cannot understand why Microsoft make them optional under XP.

Hope this helps.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
Anthony Wells RE: Fraudulent digital certificates
Expert Contributor 24th Mar, 2011 01:20
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thanks Maurice , the list in IE8 is identical to that which I found in Chrome , so that must be the "Windows vault" I'm seeing , in both cases .

Can't put my finger on it in Firefox for some reason , but am happy with my settings there anyway :))

Absolutely no chance of me fiddling inappropriately with my heart condition !!

As for the treatment of XP which is used by so many businesses as a solid workhorse , not to mention elsewhere .. ???

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
puget1 RE: Fraudulent digital certificates
Member 24th Mar, 2011 02:24
Score: 0
Posts: 551
User Since: 21st Dec 2007
System Score: N/A
Location: US
@ Anthony Wells

In Firefox go to Tools>Options>Advanced tab>Encryption tab and there it will be. View Certificates

--
Gone to Linux permanetly












Was this reply relevant?
+0
-0
gjjean RE: Fraudulent digital certificates
Contributor 24th Mar, 2011 09:58
Score: 192
Posts: 197
User Since: 9th Apr 2010
System Score: 100%
Location: LB
@ Anthony Wells

Congrats for (Expert Contributor).

As for my thread, I mentioned this for OP that donít use the auto update on their OSís and also for those who still have the XP version of MS.

Thank you.


--
HP pavilion DV6
Win 7 64bit - SP1
IE10 + MSSE4.3.215
Was this reply relevant?
+6
-0
Anthony Wells RE: Fraudulent digital certificates
Expert Contributor 24th Mar, 2011 12:41
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello puget1 ,

Thank you , I do know where to look in Ff 4.0 , but the Fraudulent listing in the "vault" is not to be seen there . There are options to load the Comodo CRL , but with the OCSP enabled and the KB installed , I don't have time to delve further atm .

Hi John ,

Thanks to you ; your post was ideal for me .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
puget1 RE: Fraudulent digital certificates
Member 24th Mar, 2011 16:49
Score: 0
Posts: 551
User Since: 21st Dec 2007
System Score: N/A
Location: US
@Anthony Wells

Here is add-on that may help:https://addons.mozilla.org/en-US/firefox/addon/cer...

--
Gone to Linux permanetly












Was this reply relevant?
+1
-0
Anthony Wells RE: Fraudulent digital certificates
Expert Contributor 25th Mar, 2011 18:47
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello puget1

Thanks for the Add-on tip , like I said , I have no worries and I don't have the time to delve deeper atm , so will keep it in mind for another time .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer