Guest Jaelani Posted September 26, 2008 Posted September 26, 2008 Hello, Many program files such as EXEs, DLLs, OCXs etc. have embeded digital certificate viewable from their file property dialog. I know that when a file's certificate is no longer valid (not expired), it means that it somehow has been modified. Correct me if I'm wrong. But any programmer that know how to properly embed a certificate can use fake names in the certificate (e.g. Symantec, Google, Microsoft, etc.) or look-alike names since anyone can make their own valid certificate. So my question is, how do I know if a certificate really does come from the intended source? What can I do to check the trustability of a digital certificate? Here's an example. Most users care more about the software rather than the details of the company/author that made the software. The real company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital certificate (a fake software in this case). Unfortunately, the users only know that the software was made by a company named "XYZ" and it's quite well known. The result is that THAT users are victims of irresponsible people. This case is similar to a fake but legitimate-looking website that asks for user passwords. Could someone please enlighten me? Thank you. Regards, Jaelani.
Guest nass Posted September 26, 2008 Posted September 26, 2008 RE: Digital certificate trustability My name nass. I fix your compluter very goodly; but, not for FREE You click my business link below, give me money. I do very, very good job. Take no notice of my detracrtors here. .. Credit card or cash. Click, click link: http://www.nasstec.co.uk -- HTH, nass ---- http://www.nasstec.co.uk "Jaelani" wrote: > Hello, > > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital > certificate viewable from their file property dialog. I know that when > a file's certificate is no longer valid (not expired), it means that > it somehow has been modified. > > Correct me if I'm wrong. But any programmer that know how to properly > embed a certificate can use fake names in the certificate (e.g. > Symantec, Google, Microsoft, etc.) or look-alike names since anyone > can make their own valid certificate. So my question is, how do I know > if a certificate really does come from the intended source? What can I > do to check the trustability of a digital certificate? > > Here's an example. Most users care more about the software rather than > the details of the company/author that made the software. The real > company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital > certificate (a fake software in this case). Unfortunately, the users > only know that the software was made by a company named "XYZ" and it's > quite well known. The result is that THAT users are victims of > irresponsible people. > > This case is similar to a fake but legitimate-looking website that > asks for user passwords. > > Could someone please enlighten me? > Thank you. > > > Regards, > Jaelani. >
Guest nass Posted September 26, 2008 Posted September 26, 2008 RE: Digital certificate trustability Why you cann't use your real name <Mick Murphy> to post your Filthy racist abusive mouthy attack? At least now he is calling himself Mad Mike, but soon will call himself REAL TROLL Mick Murphy. Please ignor his childish act his a REAL TROLL in the newsgroup. The TROLL First Attack and Utter Nonsense: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsxp.general&tid=653d1af5-56fc-4f43-9823-6825533e588f&cat=en_US_91a15a1e-b269-4291-b6b4-dc2d504ce9ef&lang=en&cr=US&sloc=en-us&m=1&p=1 This Troll is going nuts but I like having a laugh <G> Does your FBI/High-Tech Crime Squad have psychiatric Friend to sort you out? I think you said it all by saying this: <Quotye from the TROLL Post> And once I get hold of someone like him, I never let go... NEVER. Well, maybe. Someone stalked me in the Vista groups and impersonated me until I finally backed off and played nice. It cramped my style, and so I came here to play. WATCH OUT FOOL. Or you'll be next on my list! </Quote> <Another Quote from the Troll post> Remember, I have friends in the High-Tech Crime Squad who have friends in the FBI!!! I can make BIG trouble for you, you faggot!!! </Quote> <And another Quote from the Troll> Ask the little boys over in the Vista groups about me. THEY can vouch for how BAD I am!!! So you came here to upset the peace of this NG old fart lol </Quote> <and another Quote from the old Fart lol> And I'm a nasty old fart when I get CRANKED UP!!! Be WARNED, faggot!!!! < end of Fartting <g>> What a TROLL!!! I'm really cann't hold myself laughing on this Troll. I think we have a case of sick minded person and need treatment. Any psychiatric out there give us some advice and some medication to help him out? Thank you. Useless at best if not harmful avoid his utter nonsense advice. Hope you like your new name REAL TROLL RT < previously known as Mick Murphy>. Shame!!! nass --- http://www.nasstec.co.uk "fake nass impersonator mick murphy" wrote: > My name nass. I fix your compluter very goodly; but, not for FREE > You click my business link below, give me money. I do very, very good job. > Take no notice of my detracrtors here. > . > Credit card or cash. > > Click, click link: http://www.nasstec.co.uk > > -- > HTH, > nass > ---- > http://www.nasstec.co.uk > > > "Jaelani" wrote: > > > Hello, > > > > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital > > certificate viewable from their file property dialog. I know that when > > a file's certificate is no longer valid (not expired), it means that > > it somehow has been modified. > > > > Correct me if I'm wrong. But any programmer that know how to properly > > embed a certificate can use fake names in the certificate (e.g. > > Symantec, Google, Microsoft, etc.) or look-alike names since anyone > > can make their own valid certificate. So my question is, how do I know > > if a certificate really does come from the intended source? What can I > > do to check the trustability of a digital certificate? > > > > Here's an example. Most users care more about the software rather than > > the details of the company/author that made the software. The real > > company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital > > certificate (a fake software in this case). Unfortunately, the users > > only know that the software was made by a company named "XYZ" and it's > > quite well known. The result is that THAT users are victims of > > irresponsible people. > > > > This case is similar to a fake but legitimate-looking website that > > asks for user passwords. > > > > Could someone please enlighten me? > > Thank you. > > > > > > Regards, > > Jaelani. > >
Guest John Wunderlich Posted September 26, 2008 Posted September 26, 2008 Re: Digital certificate trustability Jaelani <jaejunks@googlemail.com> wrote in news:d5652609-c759-4ac5-aeb7-2f8c791119ba@m45g2000hsb.googlegroups.co m: > Many program files such as EXEs, DLLs, OCXs etc. have embeded > digital certificate viewable from their file property dialog. I > know that when a file's certificate is no longer valid (not > expired), it means that it somehow has been modified. > > Correct me if I'm wrong. But any programmer that know how to > properly embed a certificate can use fake names in the certificate > (e.g. Symantec, Google, Microsoft, etc.) or look-alike names since > anyone can make their own valid certificate. So my question is, > how do I know if a certificate really does come from the intended > source? What can I do to check the trustability of a digital > certificate? > > Here's an example. Most users care more about the software rather > than the details of the company/author that made the software. The > real company name is "XYZ, Corp." but stated as "XYZ, Inc." in the > digital certificate (a fake software in this case). Unfortunately, > the users only know that the software was made by a company named > "XYZ" and it's quite well known. The result is that THAT users are > victims of irresponsible people. > > This case is similar to a fake but legitimate-looking website that > asks for user passwords. > > Could someone please enlighten me? > Sure. Anybody can create a certificate. But for it to be Trusted, a certificate should be digitally signed by a company that is in the business of verifying legitimacy of the certificate's owners. If you go to your Control Panel and look up: Internet Options -> Content -> Certificates There as a tab labeled "Trusted Root Certification Authorities" which lists certificates of entities that are trusted by Windows. If a certificate is digitally signed by one of these trusted certificates, (and the signature verifies), then the legitimacy of the certificate is established. Many times in my experience, Firefox has complained that a certificate is only self-signed (and thus not counter-signed by an authority) so I know that I should be cautious of that certificate. HTH, John
Guest Allan Posted September 27, 2008 Posted September 27, 2008 Re: Digital certificate trustability "Jaelani" <jaejunks@googlemail.com> wrote in message news:d5652609-c759-4ac5-aeb7-2f8c791119ba@m45g2000hsb.googlegroups.com... > Hello, > > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital > certificate viewable from their file property dialog. I know that when > a file's certificate is no longer valid (not expired), it means that > it somehow has been modified. The certificate can also be revoked prior to its expiration. When you create a certificate you also should create a revocation certificate in case the certificate becomes compromised or in case you decide to revoke it for any reason. > > Correct me if I'm wrong. But any programmer that know how to properly > embed a certificate can use fake names in the certificate (e.g. > Symantec, Google, Microsoft, etc.) or look-alike names since anyone > can make their own valid certificate. So my question is, how do I know > if a certificate really does come from the intended source? What can I > do to check the trustability of a digital certificate? The certificate store and the OS handle this automatically for you. You may receive messages about untrusted publishers and execution may be blocked until you explicitly decide to "trust" the publisher. Ultimately you can still make the decision whether to trust the publisher or not. You may be offered updates to the "Trusted Root Certificates" every few months. > > Here's an example. Most users care more about the software rather than > the details of the company/author that made the software. The real > company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital > certificate (a fake software in this case). Unfortunately, the users > only know that the software was made by a company named "XYZ" and it's > quite well known. The result is that THAT users are victims of > irresponsible people. > > This case is similar to a fake but legitimate-looking website that > asks for user passwords. > > Could someone please enlighten me? > Thank you. > > > Regards, > Jaelani.
Guest Jaelani Posted September 27, 2008 Posted September 27, 2008 Re: Digital certificate trustability Hmm. If I understand this correctly, the most important thing to check is the root certificate that issued the embeded certificate. When viewing the root certicifate from the nested file property dialogs, how do I know if it's listed as trusted root certificate? I mean, without going to the control panel to bring up the Certificate list. John Wunderlich wrote: > Sure. Anybody can create a certificate. > > But for it to be Trusted, a certificate should be digitally signed by a > company that is in the business of verifying legitimacy of the > certificate's owners. If you go to your Control Panel and look up: > Internet Options -> Content -> Certificates > There as a tab labeled "Trusted Root Certification Authorities" which > lists certificates of entities that are trusted by Windows. If a > certificate is digitally signed by one of these trusted certificates, > (and the signature verifies), then the legitimacy of the certificate is > established. > > Many times in my experience, Firefox has complained that a certificate > is only self-signed (and thus not counter-signed by an authority) so I > know that I should be cautious of that certificate. > > HTH, > John
Guest Jaelani Posted September 27, 2008 Posted September 27, 2008 Re: Digital certificate trustability > The certificate store and the OS handle this automatically for you. You may > receive messages about untrusted publishers and execution may be blocked > until you explicitly decide to "trust" the publisher. Ultimately you can > still make the decision whether to trust the publisher or not. You may be > offered updates to the "Trusted Root Certificates" every few months. I use Windows XP Professional with Service Pack 2. The only warning message about untrusted certificate publisher is when I installed a new driver or updated the old one. I never got any warning when running a new downloaded software which have embeded certificate. Does this means I never encountered any untrusted certificate yet? Or Windows doesn't check embeded certificate in EXE files? Allan wrote: > > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital > > certificate viewable from their file property dialog. I know that when > > a file's certificate is no longer valid (not expired), it means that > > it somehow has been modified. > The certificate can also be revoked prior to its expiration. When you create > a certificate you also should create a revocation certificate in case the > certificate becomes compromised or in case you decide to revoke it for any > reason. > > > > Correct me if I'm wrong. But any programmer that know how to properly > > embed a certificate can use fake names in the certificate (e.g. > > Symantec, Google, Microsoft, etc.) or look-alike names since anyone > > can make their own valid certificate. So my question is, how do I know > > if a certificate really does come from the intended source? What can I > > do to check the trustability of a digital certificate? > The certificate store and the OS handle this automatically for you. You may > receive messages about untrusted publishers and execution may be blocked > until you explicitly decide to "trust" the publisher. Ultimately you can > still make the decision whether to trust the publisher or not. You may be > offered updates to the "Trusted Root Certificates" every few months.
Guest John Wunderlich Posted September 27, 2008 Posted September 27, 2008 Re: Digital certificate trustability Jaelani <jaejunks@googlemail.com> wrote in news:bccbf93e-0c6f-4b43-8ec3-49f3cfd04d89@59g2000hsb.googlegroups.com : > Hmm. If I understand this correctly, the most important thing to > check is the root certificate that issued the embeded certificate. > > When viewing the root certicifate from the nested file property > dialogs, how do I know if it's listed as trusted root certificate? > I mean, without going to the control panel to bring up the > Certificate list. > > Usually these checks are done for you by the web browser. You are notified if something isn't right. -- John
Guest John Wunderlich Posted September 27, 2008 Posted September 27, 2008 Re: Digital certificate trustability Jaelani <jaejunks@googlemail.com> wrote in news:bccbf93e-0c6f-4b43-8ec3-49f3cfd04d89@59g2000hsb.googlegroups.com : > Hmm. If I understand this correctly, the most important thing to > check is the root certificate that issued the embeded certificate. > > When viewing the root certicifate from the nested file property > dialogs, how do I know if it's listed as trusted root certificate? > I mean, without going to the control panel to bring up the > Certificate list. > > > John Wunderlich wrote: >> Sure. Anybody can create a certificate. >> >> But for it to be Trusted, a certificate should be digitally >> signed by a company that is in the business of verifying >> legitimacy of the certificate's owners. If you go to your >> Control Panel and look up: Internet Options -> Content -> >> Certificates There as a tab labeled "Trusted Root Certification >> Authorities" which lists certificates of entities that are >> trusted by Windows. If a certificate is digitally signed by one >> of these trusted certificates, (and the signature verifies), then >> the legitimacy of the certificate is established. >> >> Many times in my experience, Firefox has complained that a >> certificate is only self-signed (and thus not counter-signed by >> an authority) so I know that I should be cautious of that >> certificate. >> >> HTH, >> John See also "Certificates Technical Reference" <http://technet.microsoft.com/en-us/library/cc785237.aspx> HTH, John
Guest Allan Posted September 29, 2008 Posted September 29, 2008 Re: Digital certificate trustability "Jaelani" <jaejunks@googlemail.com> wrote in message news:a946b03a-22f2-4a23-a5a4-3ddc15a3d83f@x35g2000hsb.googlegroups.com... >> The certificate store and the OS handle this automatically for you. You >> may >> receive messages about untrusted publishers and execution may be blocked >> until you explicitly decide to "trust" the publisher. Ultimately you can >> still make the decision whether to trust the publisher or not. You may be >> offered updates to the "Trusted Root Certificates" every few months. > > I use Windows XP Professional with Service Pack 2. The only warning > message about untrusted certificate publisher is when I installed a > new driver or updated the old one. I never got any warning when > running a new downloaded software which have embeded certificate. Does > this means I never encountered any untrusted certificate yet? Or > Windows doesn't check embeded certificate in EXE files? > You may be "lucky" or only download software whose publisher has used valid certificates. Sooner or later you will encounter this and it will be your decision as to whether to "trust" a publisher or a download from an "unknown" publisher. Some software comes with seperate PGP signature files that you can verify manually along with the byte count or encryption-based checksums. -- Allan
Guest Jaelani Posted September 29, 2008 Posted September 29, 2008 Re: Digital certificate trustability Thank you, although that is quite way over my head. John Wunderlich wrote: > > See also "Certificates Technical Reference" > > <http://technet.microsoft.com/en-us/library/cc785237.aspx> > > HTH, > John
Guest Jaelani Posted September 29, 2008 Posted September 29, 2008 Re: Digital certificate trustability I only consider myself as lucky when trying new softwares from a new company/author that don't use digital signatures (more than 50%, AFAIK). But fortunately, there are virtualization softwares which are very useful for trying new softwares. Allan wrote: > You may be "lucky" or only download software whose publisher has used valid > certificates. Sooner or later you will encounter this and it will be your > decision as to whether to "trust" a publisher or a download from an > "unknown" publisher. Some software comes with seperate PGP signature files > that you can verify manually along with the byte count or encryption-based > checksums. > > -- > Allan
Recommended Posts