flat assembler
Message board for the users of flat assembler.

Index > Heap > what are those certificates (ssl, https)

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8877
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i am kinda confuse, what are those certificates, how they works.

i been told that (by a IT firm) that to use its online money remittance webpage, i mustn't use windows 7.

how does SSL certificates being affected by OS? please guide. thanks.
Post 09 Nov 2009, 13:47
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Weird... maybe Windows7 enforces more strict certificate checking, and they have theirs certificate fucked-up somehow? (eg. self-signed)

But such enforcing would be quite drastical move.
Post 09 Nov 2009, 14:04
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
It is usually the browser, not the OS, that checks the SSL certificates. But if Win7 decides to get in first and block invalid certs then I expect there would be an option to put it back to normal behaviour.


Last edited by revolution on 09 Nov 2009, 16:21; edited 1 time in total
Post 09 Nov 2009, 14:25
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Win7 might be shipped with browser that changed default behavior?

But yeah, unless they are telling you bullshit, this should definitively be possible to change somewhere in settings.
Post 09 Nov 2009, 15:43
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Mustn't people pay a hefty sum to MS to sign off their drivers for 7, or that only applies to drivers and not certificates?

_________________
Previously known as The_Grey_Beast
Post 09 Nov 2009, 17:32
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
AFAIK for signing certificates you pay local authorities, not MS.
Post 09 Nov 2009, 18:13
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I'll give two answers:

1)Supposing you actually meant "I must use Windows 7":
Perhaps the root authority that signed the site's certificate is not among the ones that comes built-in with older Windows versions and hence it cannot be trusted.

2)Supposing no spelling errors:
Win7 removed some authorities for not being trustworthy anymore and the root authority that signed the site's certificate is among them. Reasons for removal could be that the authority proven to be irresponsible in the assignment (like securing them with broken MD5 http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/ )


Note that both answers are just guesses, may be something else in reality.
Post 09 Nov 2009, 18:41
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8877
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
thanks guys.
i contacted the IT firm already and ask them what are their software requirement for my customer project. if they want vista, then i will switch those 7 license to vista.

Quote:

Weird... maybe Windows7 enforces more strict certificate checking, and they have theirs certificate fucked-up somehow? (eg. self-signed)

But such enforcing would be quite drastical move.

their certificate is signed by verisign

the browser in win7 is IE8, vista is IE7. (i actually thought the problem is more to browser version, btw firefox wouldn't works because the online website doesn't support it).

Quote:

2)Supposing no spelling errors:
Win7 removed some authorities for not being trustworthy anymore and the root authority that signed the site's certificate is among them. Reasons for removal could be that the authority proven to be irresponsible in the assignment (like securing them with broken MD5 http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/ )

yeah, no spelling mistake.
i tried google but so far, i haven't yet found any solution.
their online web application uses java bean, somehow i think their back-end not yet add windows 7. because when they create certificate online, the user is required to key in what windows they are using.
Post 09 Nov 2009, 22:52
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
sleepsleep wrote:

the browser in win7 is IE8, vista is IE7. (i actually thought the problem is more to browser version, btw firefox wouldn't works because the online website doesn't support it).


Maybe by default, but you can upgrade to IE8 on Vista. Heck, this XP computer here has IE8 now (although I never use it, typically Firefox or Chrome).
Post 12 Nov 2009, 16:00
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc wrote:
Mustn't people pay a hefty sum to MS to sign off their drivers for 7, or that only applies to drivers and not certificates?
Driver signing is a "bit more work" than just getting a SSL certificate - I'm pretty sure there was a thread with some decent information about it at DonationCoder, but I can't find it right now. But here's a couple of Microsoft links:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

It boils down to...
1) having to set up a company (as legal identity), with correct contact information etc., which your code signing Cert will be issued to.
2) pay an annual fee for the code signing license.

there's more than one Certificate Authority you can use, and prices do differ.

While you're still in your development cycle, you can boot in test-signing mode and use self-signed drivers - but this won't work on end-user machines at all (unless you get them to boot in test-signing mode, but... that's not an option, imho). This is for 64bit OSes btw, 32bit are a bit less paranoid.

_________________
Image - carpe noctem
Post 16 Nov 2009, 08:50
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I hate MS. Why the fuck don't they just allow the user whether to accept the driver or not? Mad
Post 16 Nov 2009, 19:51
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc wrote:
I hate MS. Why the fuck don't they just allow the user whether to accept the driver or not? Mad
I'm in mixed minds about it.

Users are stupid (period!), and drivers are where you get the really really nasty pieces of malware from. And even excluding malware, it's nice requiring at least a bit of responsibility from driver developers, since 3rd party drivers is one of the biggest factors in Windows stability.

On the other hand, part of the reason for the driver signing is very likely combating attacks against the Protected Video Path kernel DRM... and while the code signing licenses aren't insanely expensive, it's out of the reach for some hobbyist developers - and I'm really not fond of the annual licensing scheme.

All in all, though, I find signed drivers to be a pretty good idea. As usual it's the implementation and "bureaucratic structure" I'm not too fond of.

_________________
Image - carpe noctem
Post 16 Nov 2009, 19:59
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
My computer uses signed drivers too (Windows XP 32-bit), but I can accept "unsigned drivers", it's MY computer after all. That's what I hate. I want to be informed but I want to be given the damn option, not let MS decide for me.

_________________
Previously known as The_Grey_Beast
Post 16 Nov 2009, 20:14
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Well, in a way it would be kinda nice if 64bit Windows would allow administrators to install their own certificates in the keystore - but then again, that would make the system vulnerable to rogue code automating this process.

But hey, I'm also a fan(!) of UAC, even if I'm not that big a fan of how it's implemented and how you have to interface with it as a programmer.
Post 16 Nov 2009, 20:23
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Why not allow it only when booting as a real admin, i.e safe mode? Or some other special "driver install" mode...

_________________
Previously known as The_Grey_Beast
Post 17 Nov 2009, 01:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17260
Location: In your JS exploiting you and your system
revolution
Borsuc wrote:
My computer uses signed drivers too (Windows XP 32-bit), but I can accept "unsigned drivers", it's MY computer after all. That's what I hate. I want to be informed but I want to be given the damn option, not let MS decide for me.
Yes, it is your computer but it is not your OS. You are not forced to run Windows, so MS can enforce anything they want to. If people don't like it (like Vista) then they won't buy it. If MS make it so obnoxious that users find it too awful then MS lose money. It just becomes a trade-off between MS locking down THEIR OS to keep it "pure" and users getting pissed off with restrictions.
Post 17 Nov 2009, 01:38
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc wrote:
Why not allow it only when booting as a real admin, i.e safe mode? Or some other special "driver install" mode...
You already have a "testsigning" mode that will let you do - basically - what you want. There's two drawbacks to it, however:

1) it prints "testsigning mode" (or whatever) across your desktop.
2) it disables Protected Video Path components, so no HD material playback.

I do kinda think it's an acceptable solution... while I don't agree with the whole PVP crap, I can understand why MS wants to protect it.

revolution: yes, Microsoft is free to do whatever they want (well, almost) - that doesn't make it any more right, though.

_________________
Image - carpe noctem
Post 17 Nov 2009, 14:36
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
That damn Man in the Middle ruins everything. Forcing us to slow down the internet with SSL/TLS/HTTPS/SFTP/SSH what a jerk!

I want my plain text and 64bit encoding back!

Certificate Authority's are the biggest scams ever, they're like a free money printing press. I'll charge you X dollars a year to hold 1KB of information on you and give you some big prime numbers. They spit in the face of net neutrality and have monopolized Internet security.

Unfortunately, there's no better (easier/convenient/quickly adopted/just as secure) alternative.
Post 17 Nov 2009, 17:08
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.