Avast WEBforum

Other => General Topics => Topic started by: ehmen on February 19, 2015, 07:14:00 PM

Title: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 19, 2015, 07:14:00 PM
Hi, I discovered a bunch of untrusted and fraudulent certificates in my certmgr.msc, see attachment.
Is this indicative of any threats on my computer, or is it normal to have such certificates? And should I delete all of them (especially those that haven't expired yet)?

Thank you.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 23, 2015, 02:32:55 AM
Is anyone familiar with the Certificate Manager and can help me out here?
Thanks in advance!
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Eddy on February 23, 2015, 03:00:33 AM
How many times is it that you need to be told you are trying to do things that are way over you head before you understand it?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 23, 2015, 05:20:56 AM
How many times is it that you need to be told you are trying to do things that are way over you head before you understand it?
None Eddy, since I'm asking for advice and not for constant insults (knee-jerk at that).

And what am I "trying to do" as you put it, that's over my head? I'm just asking if it's okay that there's fraudulent certificates on my computer, and if other people have them as well (which would tell me that it's quite a normal occurrence for whatever reason).

Title: Re: Fraudulent certificates in certmgr.msc
Post by: Lisandro on February 23, 2015, 11:33:16 AM
Hey, I have a lot of certificates there too. Maybe Polonus could help us how to scan/remove most of them... Or Pondus, or any other who knows how to manage the certificates...
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on February 23, 2015, 02:36:29 PM
Hi ehmen and Lisandro,

We are glad to be of help and now with Superfish and PrivDog scandal unfolding, it is mighty important to manage root certificates to avoid MIM attacks and I mean that this is important for everyone.
Read here: https://support.quovadisglobal.com/KB/a41/how-do-i-check-my-certificates-on-firefox.aspx?KBSearchID=27234
On Chrome devices: https://support.google.com/chrome/a/answer/6080885?hl=en
For the Chrome Browser: https://support.google.com/chrome/answer/95572?hl=en

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: DavidR on February 23, 2015, 04:37:16 PM
Isn't the whole point of the untrusted certificates is to act as a reference blacklist so as not to allow these certificates if you come across them during browsing, etc.

I can't recall who updates these untrusted certificates - windows updates or other source.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Lisandro on February 23, 2015, 07:58:52 PM
Not to allow these certificates if you come across them during browsing, etc.
But I never allow anything and there are tons of certificates there...
Thanks Polonus. Can you help me writing a blog article about these two incidents? (Superfish and PrivDog).
Better than everything else:
1. What should we do?
2. What are the limits of the suggested protection?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: DavidR on February 23, 2015, 08:13:06 PM
That's the point, you don't have to allow Trusted Certificates, it is why they are issued so you can prove who you are as such - so without something like the Untrusted Certificates they too would be classed as trusted and would sail through.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Lisandro on February 23, 2015, 10:22:48 PM
How can I check the list of my certificates?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: essexboy on February 23, 2015, 10:28:15 PM
The untrusted are a checklist aka a blacklist, windows will treat any so marked as bad
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Eddy on February 23, 2015, 10:36:22 PM
Expired certificates from DigiNotar should be removed.
They where hacked in 2011
The company has be gone since 20 september 2011 (bankrupt).
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Lisandro on February 23, 2015, 10:53:58 PM
Expired certificates from DigiNotar should be removed.
They where hacked in 2011
The company has be gone since 20 september 2011 (bankrupt).
Can't find any expired or DigiNotar certificate in my list...
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 24, 2015, 01:58:47 AM
Thanks everyone for your input.

Bottom line: should I delete all of the untrusted and fraudulent certificates or only specific ones?

Thank you.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: mchain on February 24, 2015, 03:55:32 AM
Thanks everyone for your input.

Bottom line: should I delete all of the untrusted and fraudulent certificates or only specific ones?

Thank you.
Hi ehmen,

Tho you may not care for Eddy's advice, be mindful of what you do.  The certificate listing is a list Windows uses to prevent potential harm to your computer.  This list is sometimes updated by Microsoft in one of their periodic Windows Updates called 'root certificates'.

https://en.wikipedia.org/wiki/Root_certificate (https://en.wikipedia.org/wiki/Root_certificate) 

The difference between any user that knows what they are doing and the ones that don't, basically is the difference between fixing something that needs to be fixed and not fixing things that don't.   

So the fine line between fixing things one wants to fix must be tempered with an acute and accurate assessment over what, if anything, needs to be fixed at all.  Just because one has control over a system does not mean that one should fix things just because they can. 

Not without first imaging their system disk in case disaster strikes.  If an image is created first, one can do whatever they want and recover.  If one wants to experiment, then imaging is a must do.

Again, "if it ain't broke, don't fix it".

Learning something new is a good thing, but it must be tempered with research and caution and restraint.

If one always follows these three conditions, one can come to the best and correct decisions, and one does not have to then fix a system they broke unnecessarily.  Nothing wrong with learning new stuff, it is when to apply that new knowledge, and to what degree, that will make the difference long-term for all users, not just you. 
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 24, 2015, 04:35:34 AM
...The difference between any user that knows what they are doing and the ones that don't, basically is the difference between fixing something that needs to be fixed and not fixing things that don't...
Which is exactly why I am asking and not doing anything yet.

So please if you could tell me, should I delete any of the untrusted and fraudulent certificates or not? Are any of them (in attachment above) dangerous or harmful to have on my computer, or are they all fine?

If you can answer my question (which is what I asked in my original post) I would appreciate it very much! Since then I would know what to do regarding this issue.

Thank you in advance!
Title: Re: Fraudulent certificates in certmgr.msc
Post by: mchain on February 24, 2015, 07:28:58 AM
It may not be necessary to delete any untrusted certificates due to the fact that these untrusted certificates are there in that folder will mean they cannot be used again by Windows or any other program: 
http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista (http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista)
Expand the 'Show all' link and read the entire thing.

http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html (http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html)

Read both and then come back to share what you understand why certificates are necessary.  You may well find the answer you seek just from these two links. 

If you still need help please post that too.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 25, 2015, 01:25:13 AM
Thank you for those links!

So I gather from you that I shouldn't delete any untrusted or fraudulent keys because in reality, they're shields against those untrusted attempts if they're made against my browser/computer?

Also, how could I know if there's ever a certificate in my certmgr.msc that's fake and malicious (for real, and not a "Shield" against a malicious attempt but the attempt itself)?

Thank you very much mchain!
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Eddy on February 25, 2015, 01:36:59 AM
Quote
Also, how could I know if there's ever a certificate in my certmgr.msc that's fake and malicious
Search and do research. Learn how things are working, what they do (or don't) etc. It all starts with knowledge. Nothing personal and no offense mend, but so far you are only asking about things that are really way over your head. My advise, start with learning the basic things first.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 25, 2015, 01:59:33 AM
My advise, start with learning the basic things first.
Such as?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on February 26, 2015, 02:23:38 AM
My advise, start with learning the basic things first.
Such as?
So Eddy, would you like to give me some examples, or just tell me off again?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Michael (alan1998) on February 26, 2015, 04:28:40 PM
Obviously you know the basics. It also seems as if you take a strong interest in the Malware industry.. Correct?

Start with the easy stuff. How Batch Files work, CMD etc, then slowly move your way up. Do research, practice, more research etc. (Any practicing you do should be done inside of a Virtual Machine!!)
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on February 26, 2015, 04:53:23 PM
Michael is right, do some reading here: https://forum.avast.com/index.php?topic=166044.0
and https://forum.avast.com/index.php?topic=129271.0
Read about protocols, read about CMS and server software updates, outdated themes, plug-ins.
Learn about dns, SSL, Poodle, Beast etc. Scan with http://toolbar.netcraft.com/site_report/
and analyze website's code here: http://toolbar.netcraft.com/site_report/
Do your analysis and reading inside a browser with NoScript and RequestPolicy extensions active and the browser should be running in a Virtual Machine/sandbox. Clean your sandbox every other day or after fear of encountering some threat and also cleanse your computer with CCleaner disconnected.
To detect malcode on your own machine, yes that is thoroughly possible now download process-explorer and autoruns and know you can start VT scans from inside there.
For site evaluation download the Malzilla browser. But be aware what you do, no one can help you when you have encountered a file-infector like Virut, it is bye-bye system then.
Never click any link, just cut and paste and do third party cold reconnaissance scans. So never, I repeat never visit the site to be analyzed itself (this even may be illegal to do as give results to it in public).

Checking on code do a jsunpack scan - or use this uri debugger scan: http://linkeddata.informatik.hu-berlin.de/uridbg/

Always remember to proceed patiently and learn this step by step, Krakau was not built in one day as was Cologne. Good luck to you,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Fraudulent certificates in certmgr.msc
Post by: REDACTED on February 26, 2015, 05:19:22 PM
My own research methods are a tad different to normal research methods,

My approach is normally on finding new types of adware/malware/trojens.

On a daily basis I often stumble across malware while searching across perfectly normal sites, social media pages and server logs. Once you discover a potential threat on sites use checkers such as Virustotal, Malwr.com and urlquery to try and see if the threat has been actively scanned upon. If they are and vendors are proactively blocking the files in question you can move onto the next case, however if they arn't then it's time to talk to the community, provide your evidence to them including the MD5 hashes (so these can be looked up files for verification, an MD5 Hash is a digital finger print of a file.)


Some advice i can offer (still pretty new at searching for APTs)

Start to get to know research toolkits. WinHex can do wonders for in-depth forensics analysis of files at the Binary level, Open forensics toolkits such as the TSK Autopsy Kit.
Start to learn Linux/Unix systems, Ubuntu is a good/safe operating system to do checks behind with cuckosandbox. I would recommend running rkhunter on the system after you have done any tests inside a virtual computer. Normally a good VM for malware analysis is Oracle Virtualbox (free to download)
Start to read information security news sources (Darkreading is an excellent place to get information about emerging threats.)
Look into active malware hunting communities, Project Honeypot is a great example of communities across the world working together to discover malware.
Start to read books on coding, A good first language to learn is Python, Then move up to C#/.NET (which is becoming open source shortly so the demand for C# researchers will come in handy).

Finally Remember with great power comes great responsablity!

Not sure if this helped, if it did awesome! :D


 
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 01:44:48 AM
Thank you all for your input!

Now I have a simple question that I hope someone can answer for me.
It seems from these 2 articles (linked to above):
http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista
http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html, that one shouldn't delete
that one shouldn't delete "untrusted" certificates, but it doesn't address Fraudulent certificates.
So, should I delete any of the Fraudulent certificates in the above-attached list, or not?
If anyone can just tell me if yes or no, I would very much appreciate it.
Thank you!
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 01:51:22 AM
Hi ehmen,

In windows in command prompt check certificate revocation and give in:
Quote
certutil -f –urlfetch -verify [FilenameOfCertificate]
example:
Quote
certutil -f –urlfetch -verify mycertificatefile.cer

Check the list here: http://www.entrust.net/ssl-technical/revoked.cfm

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 02:14:21 AM
Thank you polonus for addressing my question!

So how do I plug a certificate called "global trustee" or "VeriSign Commercial Software Publishers CA" into the above command? (certutil -f –urlfetch -verify mycertificatefile.cer)
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 05:33:27 PM
You should know where that certificate is and the exact position of file and file name and then give it in in the command prompt in the required format. It is a pity you were not brought up with DOS command txt books and worked commands like ipconfig /all and C:/Users/computername/netstat & cd & cd/.. to go back to C:/Users/computername/ and again cd/..  to go back to C:/Users/  :P
In such cases as this it is still nice to have the skills. The folks that learned computing around the turn of the century still can do these command prompt shortcuts.  ;

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 06:08:10 PM
You should know where that certificate is and the exact position of file and file name and then give it in in the command prompt in the required format.
I just know whatever it says in the Certificate Manager list.
Is there a way I could find the position of file and filename, etc.?
Thank you.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 06:41:45 PM
See: http://www.delphifaq.com/faq/windows_user/f1571.shtml
and http://www.mazecomputer.com/sxs/help/certmanage.htm
Also read: http://superuser.com/questions/334824/windows-7-certificate-manager-snap-in-without-access-to-mmc

pol
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 06:51:21 PM
The articles speak of importing and installing certificates, but not how to find the location of existing certificates that I had nothing to do with, at least not knowingly (that is to say, I never did anything to get them, as is the case with most people who don't deal with certificates).
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 06:57:56 PM
Well they are stored in the registry mainly: https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 07:02:49 PM
Be cautious when going to the registry. You can ruin your machine if you do unadvised things. Always make a copy of the registry first. Write down what you wanna do for references, work from that later.

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 08:15:08 PM
Thanks.

How do I find the untrusted and fraudulent certificate location in the registry?

(By the way, I don't have XP, I have Vista.)
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 10:04:34 PM
Click on button start - type certmgr.msc in search then push enter.
Certificates are in folder Certificates.
You should have admin rights for HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: bob3160 on March 01, 2015, 11:42:28 PM
Unless you know what your doing, this can totally mess up your computer and make you vulnerable.
Your computer your choice. Certainly not something I'd advise messing around with.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 01, 2015, 11:47:51 PM
Hi bob3160,

Not a thing I would advise either, but ehmen keeps asking and asking.
If you do not know your way under the hood, it may well be your car engine won't run anymore.
Likewise with computer registers. If you do not know how to hoover, do not dust.
As you say, it is the choice of that particular user, be bold and screw things up.
But forewarned is forearmed.

polonus
.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 01, 2015, 11:57:08 PM
1) I know my way around the registry and have successfully done things there in the past (I could tell you if you're interested).
2) I'm not sure what all the warnings are, I never asked how to change anything in the registry, all I asked is if I should delete the fraudulent certificates or not, and I still don't know the answer to that simple question, nor do I know how to ascertain the individual fraudulent certificates.
3) polonus, I'm not sure why you told me how to open certmgr.msc and how to find certificates there, my very first post above is a screenshot of certificates I found there.
4.) I went to HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots as you said polonus,
and there's only one item there, I attached it below.

I'd like to thank you for your help, I'm just a little confused about the reasons for the instructions and warnings you are giving me.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 02, 2015, 12:23:03 AM
Just click it to open the various categories and then go over them, do not change anything.
Then go back and read resources over what you have found.
Then decide what to do further.
Read: http://www.wikihow.com/Clean-the-Windows-Registry-by-Hand

I think when things should be adapted and cleansed Microsoft will choose to do so via updates.
I think they should tackle bad SDK certification that way also.
It is their OS, so it is their task.
Just like firefox has already takem Superfish out of the browser registry
for those that decided to take to uninstall it first.

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 02, 2015, 12:49:16 AM
Thanks for that.

Now, do you know if there's a way for me to figure out if I should delete the fraudulent certificates?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 02, 2015, 01:00:38 AM
You first have to find them: https://www.digicert.com/protecting-against-fraudulent-certificates.htm
Go here and test: https://www.grc.com/fingerprints.htm
This example test failed: One or more errors were encountered when querying:
wXw.bitdefender.com
We were unable to connect to the remote web server's standard HTTPS port 443. This remote web server may not offer secure HTTPS web services.
The trouble may be something you can remedy by altering the domain name submitted, or the trouble might lie with the configuration of the remote secure web server. You should examine the domain name submitted, above, the errors returned, and the error comments to determine your best course of action.

avast.com is OK Domain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   Click to view complete certificate chain
avast.com   *.avast.com   —   4A:8E:8C:8F:29:72:97:C1:D4:9F:C3:8F:57:5D:9A:59:C1:58:A3:6E

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 02, 2015, 01:35:37 AM
You first have to find them
How do I find the certificate's URL?
https://www.digicert.com/protecting-against-fraudulent-certificates.htm
Does that article still apply now that SSL is removed from Chrome and others, and there's only TLS?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 02, 2015, 09:07:11 AM
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 02, 2015, 02:51:27 PM
Thanks to ehmen for starting this subject finding some of the answers took me on a quest,
where I learned a lot about the ins and outs of https certification.

There is nice info on revocation verification here: https://www.grc.com/revocation/crlsets.htm
and a special tool, but Metascan flags that, with ByteHero detecting Trojan.Win32.Heur.098.
According to me it is clean.
Also read this http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html
How to recognize fake SSL certificates? ->
http://stackoverflow.com/questions/7733881/how-to-recognize-fake-ssl-certificates
The trust of a SSL Certificate Chain can be checked here: https://www.sslshopper.com/ssl-checker.html
More online tools: http://geekflare.com/ssl-test-certificate/
For example: https://www.wormly.com/test_ssl

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 02, 2015, 08:22:14 PM
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
I have Vista, and it's only for Win7 and 8.

Also, can you tell me if all this SSL stuff also applies to TLS, since I use Chrome and it totally removed SSL.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 03, 2015, 02:45:34 PM
No, I have Vista too and it plays wonderfully there, like a charm.

pol
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 08, 2015, 03:45:04 AM
Can you tell me if all the SSL stuff involving certificates also applies to TLS, since I use Chrome and it totally removed SSL?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 08, 2015, 06:11:38 PM
Do the client test and see what that delivers: https://www.ssllabs.com/ssltest/viewMyClient.html
Quote
(1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.

pol
Title: Re: Fraudulent certificates in certmgr.msc
Post by: Lisandro on March 08, 2015, 07:11:17 PM
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
1. Am I ok?
2. Why only avast is shown?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: DavidR on March 08, 2015, 07:38:11 PM
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
1. Am I ok?
2. Why only avast is shown?

It says it all on the text of the screenshot.
They aren't part of Microsoft's official Root Certificate Program.

Doesn't always represent a security risk - the user should carefully review each of them.

We know that avast is scanning https, ssl/tls traffic/content and to do that they need a certificate.

So yes you are OK.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 08, 2015, 11:54:48 PM
Do the client test and see what that delivers: https://www.ssllabs.com/ssltest/viewMyClient.html
Do I need to do anything there, or just go to the site?

When I went there they said my user agent (I assume Chrome) is not vulnerable to the FREAK or POODLE Vulnerability and it supports TLS 1.2.
Though lower in the page it said "TLS compression" and "SSL 2 handshake compatibility"- No, and the others in the category - yes.
Also 2 (out of 11) TLS ECDHE were weak, and 2 (out of 9) TLS RSA were weak.
Also, I'm not sure what the "Mixed content handling" means, see attachment.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 09, 2015, 12:14:26 AM
When a page has elements that came from regular HTTP connections, the connection is only partially secure. What is mixed content
Quote
Types of Mixed Content
There are two categories for mixed content: Mixed Passive/Display Content and Mixed Active Content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a Man-In-The-Middle attack. In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.

Mixed passive/display content

Mixed Passive/Display Content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, he could determine which webpage the user is visiting.

Passive content list

This section lists all types of HTTP requests which are considered passive content:

<audio> (src attribute)
<img> (src attribute)
<video> (src attribute)
<object> subresources (when an <object> performs HTTP requests)
Mixed active content

Mixed Active Content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for Mixed Display Content above, Mixed Active Content is vulnerable to a few other attack vectors.

In the Mixed Active Content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using Mixed Active Content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Active content list

This section lists some types of HTTP requests which are considered active content:

<script> (src attribute)
<link> (href attribute) (this includes CSS stylesheets)
XMLHttpRequest object requests
<iframe> (src attributes)
All cases in CSS where a url value is used (@font-face, cursor, background-image, etc.)
<object> (data attribute)
See also
Quote from Mozilla Developer Network, info credits go there.

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 09, 2015, 12:25:50 AM
You can check for mixed content here: https://www.jitbit.com/sslcheck/
For google dot com we get:
Quote

Done. Total pages crawled: 199

Pages with unsecure content:
https://www.google.com/chromecast/setup ?

Pages failed to crawl (error returned from the server):
https://www.google.com/cookies.html
https://www.google.com/cookies.html
https://www.google.com/intl/en/policies/privacy/google_privacy_policy_en.pdf
But the security header status there can be qualified as quite good:
view here: https://www.uploady.com/download/vNOTWOlJtcS/rBccdVAasxIPX7Rg

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 09, 2015, 01:04:31 AM
This website may not have mixed content issues however your privacy can be at danger:
https://www.golemtechnologies.com/security-scan-benefits
A net-error on the certificate date is received.
ehmen if you found such a root certificate on your machine it was insecure,
as it was not revoked:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
Protocol Support
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
SSL 3.0 is an outdated protocol version with known vulnerabilities.
The certificate was valid from 12/03/2012 through 12/03/2014.
DNS issues also with stealth name servers etc.: http://www.dnsinspect.com/golemtechnologies.com/1425859392

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 10, 2015, 02:27:30 AM
SSL 3.0 is an outdated protocol version with known vulnerabilities.
Which is why I asked before, and would like to know:
Can you tell me if all the SSL stuff involving certificates also applies to TLS, since I use Chrome and it totally removed SSL?
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 10, 2015, 05:16:01 PM
SSL is a predecessor of TLS, so SSL has become part of this overall protocoll.
Important issues to establish
Quote
Once your browser requests a secure page and adds the "s" onto "http," the browser sends out the public key and the certificate, checking three things: 1) that the certificate comes from a trusted party; 2) that the certificate is currently valid; and 3) that the certificate has a relationship with the site from which it's coming.
Quote from Jeff Tyson.
Not all servers have TLS security, test here: http://www.checktls.com/perl/TestReceiver.pl

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: ehmen on March 10, 2015, 05:36:32 PM
SSL is a predecessor of TLS, so SSL has become part of this overall protocoll.
So does whatever it says about SSL apply equally now to TLS?
Not all servers have TLS security, test here: http://www.checktls.com/perl/TestReceiver.pl
I use gmail, so I don't need to check that email test.
Title: Re: Fraudulent certificates in certmgr.msc
Post by: polonus on March 12, 2015, 01:14:03 AM
Most browsers won't support any version above TLS 1.0. BEAST has been fixed on modern browsers.
But parties aren't anxious to move and as large vendors do not move, who will?
First they waited for Windows XP to be phased out, now it could be waiting for IE to be phased out.
Read here: http://security.stackexchange.com/questions/32817/why-dont-major-browsers-currently-support-tls-above-version-1-0 (credits for interesting info posted there goes to Thomas Pornin)

polonus
Title: Re: Fraudulent certificates in certmgr.msc
Post by: REDACTED on April 03, 2015, 12:56:25 PM
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian

Cool tool! Plus it now has the ability to check Firefox's root CA's as well! Wish it had some more options though.

(http://www.wilderssecurity.com/attachments/xuntitled-png.247353/)