Author Topic: Fraudulent certificates in certmgr.msc  (Read 18409 times)

0 Members and 1 Guest are viewing this topic.

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #30 on: March 01, 2015, 06:51:21 PM »
The articles speak of importing and installing certificates, but not how to find the location of existing certificates that I had nothing to do with, at least not knowingly (that is to say, I never did anything to get them, as is the case with most people who don't deal with certificates).

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #31 on: March 01, 2015, 06:57:56 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #32 on: March 01, 2015, 07:02:49 PM »
Be cautious when going to the registry. You can ruin your machine if you do unadvised things. Always make a copy of the registry first. Write down what you wanna do for references, work from that later.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #33 on: March 01, 2015, 08:15:08 PM »
Thanks.

How do I find the untrusted and fraudulent certificate location in the registry?

(By the way, I don't have XP, I have Vista.)
« Last Edit: March 01, 2015, 08:17:59 PM by ehmen »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #34 on: March 01, 2015, 10:04:34 PM »
Click on button start - type certmgr.msc in search then push enter.
Certificates are in folder Certificates.
You should have admin rights for HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

polonus
« Last Edit: March 01, 2015, 10:06:28 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 41254
  • 59 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Fraudulent certificates in certmgr.msc
« Reply #35 on: March 01, 2015, 11:42:28 PM »
Unless you know what your doing, this can totally mess up your computer and make you vulnerable.
Your computer your choice. Certainly not something I'd advise messing around with.
Free avast! Security Seminar: https://goo.gl/kh3cqR  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1903 64bit, 8 Gig Ram, AvastFree 19.6.xxxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #36 on: March 01, 2015, 11:47:51 PM »
Hi bob3160,

Not a thing I would advise either, but ehmen keeps asking and asking.
If you do not know your way under the hood, it may well be your car engine won't run anymore.
Likewise with computer registers. If you do not know how to hoover, do not dust.
As you say, it is the choice of that particular user, be bold and screw things up.
But forewarned is forearmed.

polonus
.
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #37 on: March 01, 2015, 11:57:08 PM »
1) I know my way around the registry and have successfully done things there in the past (I could tell you if you're interested).
2) I'm not sure what all the warnings are, I never asked how to change anything in the registry, all I asked is if I should delete the fraudulent certificates or not, and I still don't know the answer to that simple question, nor do I know how to ascertain the individual fraudulent certificates.
3) polonus, I'm not sure why you told me how to open certmgr.msc and how to find certificates there, my very first post above is a screenshot of certificates I found there.
4.) I went to HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots as you said polonus,
and there's only one item there, I attached it below.

I'd like to thank you for your help, I'm just a little confused about the reasons for the instructions and warnings you are giving me.
« Last Edit: March 02, 2015, 12:03:29 AM by ehmen »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #38 on: March 02, 2015, 12:23:03 AM »
Just click it to open the various categories and then go over them, do not change anything.
Then go back and read resources over what you have found.
Then decide what to do further.
Read: http://www.wikihow.com/Clean-the-Windows-Registry-by-Hand

I think when things should be adapted and cleansed Microsoft will choose to do so via updates.
I think they should tackle bad SDK certification that way also.
It is their OS, so it is their task.
Just like firefox has already takem Superfish out of the browser registry
for those that decided to take to uninstall it first.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #39 on: March 02, 2015, 12:49:16 AM »
Thanks for that.

Now, do you know if there's a way for me to figure out if I should delete the fraudulent certificates?

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #40 on: March 02, 2015, 01:00:38 AM »
You first have to find them: https://www.digicert.com/protecting-against-fraudulent-certificates.htm
Go here and test: https://www.grc.com/fingerprints.htm
This example test failed: One or more errors were encountered when querying:
wXw.bitdefender.com
We were unable to connect to the remote web server's standard HTTPS port 443. This remote web server may not offer secure HTTPS web services.
The trouble may be something you can remedy by altering the domain name submitted, or the trouble might lie with the configuration of the remote secure web server. You should examine the domain name submitted, above, the errors returned, and the error comments to determine your best course of action.

avast.com is OK Domain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   Click to view complete certificate chain
avast.com   *.avast.com   —   4A:8E:8C:8F:29:72:97:C1:D4:9F:C3:8F:57:5D:9A:59:C1:58:A3:6E

polonus
« Last Edit: March 02, 2015, 01:04:17 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #41 on: March 02, 2015, 01:35:37 AM »
You first have to find them
How do I find the certificate's URL?
https://www.digicert.com/protecting-against-fraudulent-certificates.htm
Does that article still apply now that SSL is removed from Chrome and others, and there's only TLS?

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #42 on: March 02, 2015, 09:07:11 AM »
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
« Last Edit: March 02, 2015, 09:12:08 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #43 on: March 02, 2015, 02:51:27 PM »
Thanks to ehmen for starting this subject finding some of the answers took me on a quest,
where I learned a lot about the ins and outs of https certification.

There is nice info on revocation verification here: https://www.grc.com/revocation/crlsets.htm
and a special tool, but Metascan flags that, with ByteHero detecting Trojan.Win32.Heur.098.
According to me it is clean.
Also read this http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html
How to recognize fake SSL certificates? ->
http://stackoverflow.com/questions/7733881/how-to-recognize-fake-ssl-certificates
The trust of a SSL Certificate Chain can be checked here: https://www.sslshopper.com/ssl-checker.html
More online tools: http://geekflare.com/ssl-test-certificate/
For example: https://www.wormly.com/test_ssl

polonus
« Last Edit: March 02, 2015, 03:08:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 449
Re: Fraudulent certificates in certmgr.msc
« Reply #44 on: March 02, 2015, 08:22:14 PM »
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
I have Vista, and it's only for Win7 and 8.

Also, can you tell me if all this SSL stuff also applies to TLS, since I use Chrome and it totally removed SSL.
« Last Edit: March 02, 2015, 08:24:19 PM by ehmen »