Author Topic: Fraudulent certificates in certmgr.msc  (Read 26802 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #45 on: March 03, 2015, 02:45:34 PM »
No, I have Vista too and it plays wonderfully there, like a charm.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #46 on: March 08, 2015, 03:45:04 AM »
Can you tell me if all the SSL stuff involving certificates also applies to TLS, since I use Chrome and it totally removed SSL?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #47 on: March 08, 2015, 06:11:38 PM »
Do the client test and see what that delivers: https://www.ssllabs.com/ssltest/viewMyClient.html
Quote
(1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Fraudulent certificates in certmgr.msc
« Reply #48 on: March 08, 2015, 07:11:17 PM »
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
1. Am I ok?
2. Why only avast is shown?
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Fraudulent certificates in certmgr.msc
« Reply #49 on: March 08, 2015, 07:38:11 PM »
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian
1. Am I ok?
2. Why only avast is shown?

It says it all on the text of the screenshot.
They aren't part of Microsoft's official Root Certificate Program.

Doesn't always represent a security risk - the user should carefully review each of them.

We know that avast is scanning https, ssl/tls traffic/content and to do that they need a certificate.

So yes you are OK.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #50 on: March 08, 2015, 11:54:48 PM »
Do the client test and see what that delivers: https://www.ssllabs.com/ssltest/viewMyClient.html
Do I need to do anything there, or just go to the site?

When I went there they said my user agent (I assume Chrome) is not vulnerable to the FREAK or POODLE Vulnerability and it supports TLS 1.2.
Though lower in the page it said "TLS compression" and "SSL 2 handshake compatibility"- No, and the others in the category - yes.
Also 2 (out of 11) TLS ECDHE were weak, and 2 (out of 9) TLS RSA were weak.
Also, I'm not sure what the "Mixed content handling" means, see attachment.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #51 on: March 09, 2015, 12:14:26 AM »
When a page has elements that came from regular HTTP connections, the connection is only partially secure. What is mixed content
Quote
Types of Mixed Content
There are two categories for mixed content: Mixed Passive/Display Content and Mixed Active Content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a Man-In-The-Middle attack. In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.

Mixed passive/display content

Mixed Passive/Display Content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, he could determine which webpage the user is visiting.

Passive content list

This section lists all types of HTTP requests which are considered passive content:

<audio> (src attribute)
<img> (src attribute)
<video> (src attribute)
<object> subresources (when an <object> performs HTTP requests)
Mixed active content

Mixed Active Content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for Mixed Display Content above, Mixed Active Content is vulnerable to a few other attack vectors.

In the Mixed Active Content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using Mixed Active Content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Active content list

This section lists some types of HTTP requests which are considered active content:

<script> (src attribute)
<link> (href attribute) (this includes CSS stylesheets)
XMLHttpRequest object requests
<iframe> (src attributes)
All cases in CSS where a url value is used (@font-face, cursor, background-image, etc.)
<object> (data attribute)
See also
Quote from Mozilla Developer Network, info credits go there.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #52 on: March 09, 2015, 12:25:50 AM »
You can check for mixed content here: https://www.jitbit.com/sslcheck/
For google dot com we get:
Quote

Done. Total pages crawled: 199

Pages with unsecure content:
https://www.google.com/chromecast/setup ?

Pages failed to crawl (error returned from the server):
https://www.google.com/cookies.html
https://www.google.com/cookies.html
https://www.google.com/intl/en/policies/privacy/google_privacy_policy_en.pdf
But the security header status there can be qualified as quite good:
view here: https://www.uploady.com/download/vNOTWOlJtcS/rBccdVAasxIPX7Rg

polonus
« Last Edit: March 09, 2015, 12:38:07 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #53 on: March 09, 2015, 01:04:31 AM »
This website may not have mixed content issues however your privacy can be at danger:
https://www.golemtechnologies.com/security-scan-benefits
A net-error on the certificate date is received.
ehmen if you found such a root certificate on your machine it was insecure,
as it was not revoked:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
Protocol Support
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
SSL 3.0 is an outdated protocol version with known vulnerabilities.
The certificate was valid from 12/03/2012 through 12/03/2014.
DNS issues also with stealth name servers etc.: http://www.dnsinspect.com/golemtechnologies.com/1425859392

polonus
« Last Edit: March 09, 2015, 01:15:10 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #54 on: March 10, 2015, 02:27:30 AM »
SSL 3.0 is an outdated protocol version with known vulnerabilities.
Which is why I asked before, and would like to know:
Can you tell me if all the SSL stuff involving certificates also applies to TLS, since I use Chrome and it totally removed SSL?
« Last Edit: March 10, 2015, 02:29:12 AM by ehmen »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #55 on: March 10, 2015, 05:16:01 PM »
SSL is a predecessor of TLS, so SSL has become part of this overall protocoll.
Important issues to establish
Quote
Once your browser requests a secure page and adds the "s" onto "http," the browser sends out the public key and the certificate, checking three things: 1) that the certificate comes from a trusted party; 2) that the certificate is currently valid; and 3) that the certificate has a relationship with the site from which it's coming.
Quote from Jeff Tyson.
Not all servers have TLS security, test here: http://www.checktls.com/perl/TestReceiver.pl

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #56 on: March 10, 2015, 05:36:32 PM »
SSL is a predecessor of TLS, so SSL has become part of this overall protocoll.
So does whatever it says about SSL apply equally now to TLS?
Not all servers have TLS security, test here: http://www.checktls.com/perl/TestReceiver.pl
I use gmail, so I don't need to check that email test.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #57 on: March 12, 2015, 01:14:03 AM »
Most browsers won't support any version above TLS 1.0. BEAST has been fixed on modern browsers.
But parties aren't anxious to move and as large vendors do not move, who will?
First they waited for Windows XP to be phased out, now it could be waiting for IE to be phased out.
Read here: http://security.stackexchange.com/questions/32817/why-dont-major-browsers-currently-support-tls-above-version-1-0 (credits for interesting info posted there goes to Thomas Pornin)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Fraudulent certificates in certmgr.msc
« Reply #58 on: April 03, 2015, 12:56:25 PM »
Here is a tool you can use: http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
link info credits go to to SpeedyPC, one of our fine forum friends, who gave that link to me. Thank you SpeedyPC!  ;)

polonus

P.S. My results: Scan completed. No suspicious root certificates found.
Now I am happy.

Damian

Cool tool! Plus it now has the ability to check Firefox's root CA's as well! Wish it had some more options though.

« Last Edit: April 03, 2015, 01:27:45 PM by MidMark »