Digital certificate trustability

  • Thread starter Thread starter Jaelani
  • Start date Start date
J

Jaelani

Guest
Hello,

Many program files such as EXEs, DLLs, OCXs etc. have embeded digital
certificate viewable from their file property dialog. I know that when
a file's certificate is no longer valid (not expired), it means that
it somehow has been modified.

Correct me if I'm wrong. But any programmer that know how to properly
embed a certificate can use fake names in the certificate (e.g.
Symantec, Google, Microsoft, etc.) or look-alike names since anyone
can make their own valid certificate. So my question is, how do I know
if a certificate really does come from the intended source? What can I
do to check the trustability of a digital certificate?

Here's an example. Most users care more about the software rather than
the details of the company/author that made the software. The real
company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital
certificate (a fake software in this case). Unfortunately, the users
only know that the software was made by a company named "XYZ" and it's
quite well known. The result is that THAT users are victims of
irresponsible people.

This case is similar to a fake but legitimate-looking website that
asks for user passwords.

Could someone please enlighten me?
Thank you.


Regards,
Jaelani.
 
RE: Digital certificate trustability

My name nass. I fix your compluter very goodly; but, not for FREE
You click my business link below, give me money. I do very, very good job.
Take no notice of my detracrtors here.
..
Credit card or cash.

Click, click link: http://www.nasstec.co.uk

--
HTH,
nass
----
http://www.nasstec.co.uk


"Jaelani" wrote:

> Hello,
>
> Many program files such as EXEs, DLLs, OCXs etc. have embeded digital
> certificate viewable from their file property dialog. I know that when
> a file's certificate is no longer valid (not expired), it means that
> it somehow has been modified.
>
> Correct me if I'm wrong. But any programmer that know how to properly
> embed a certificate can use fake names in the certificate (e.g.
> Symantec, Google, Microsoft, etc.) or look-alike names since anyone
> can make their own valid certificate. So my question is, how do I know
> if a certificate really does come from the intended source? What can I
> do to check the trustability of a digital certificate?
>
> Here's an example. Most users care more about the software rather than
> the details of the company/author that made the software. The real
> company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital
> certificate (a fake software in this case). Unfortunately, the users
> only know that the software was made by a company named "XYZ" and it's
> quite well known. The result is that THAT users are victims of
> irresponsible people.
>
> This case is similar to a fake but legitimate-looking website that
> asks for user passwords.
>
> Could someone please enlighten me?
> Thank you.
>
>
> Regards,
> Jaelani.
>
 
RE: Digital certificate trustability



Why you cann't use your real name <Mick Murphy> to post your Filthy racist
abusive mouthy attack?
At least now he is calling himself Mad Mike, but soon will call himself REAL
TROLL Mick Murphy.

Please ignor his childish act his a REAL TROLL in the newsgroup.
The TROLL First Attack and Utter Nonsense:
http://www.microsoft.com/communitie...dc2d504ce9ef&lang=en&cr=US&sloc=en-us&m=1&p=1

This Troll is going nuts but I like having a laugh <G>
Does your FBI/High-Tech Crime Squad have psychiatric Friend to sort you out?
I think you said it all by saying this:
<Quotye from the TROLL Post>
And once I get hold of someone like him,
I never let go... NEVER.
Well, maybe.
Someone stalked me in the Vista groups and
impersonated me until I finally backed off and
played nice.
It cramped my style, and so I came here to play.
WATCH OUT FOOL. Or you'll be next on my list!
</Quote>
<Another Quote from the Troll post>
Remember, I have friends in the High-Tech Crime Squad who
have friends in the FBI!!!
I can make BIG trouble for you, you faggot!!!
</Quote>
<And another Quote from the Troll>
Ask the little boys over in the Vista groups about me.
THEY can vouch for how BAD I am!!!
So you came here to upset the peace of this NG old fart lol
</Quote>
<and another Quote from the old Fart lol>
And I'm a nasty old fart when I get CRANKED UP!!!
Be WARNED, faggot!!!!
< end of Fartting <g>>
What a TROLL!!!
I'm really cann't hold myself laughing on this Troll. I think we have a case
of sick minded person and need treatment.
Any psychiatric out there give us some advice and some medication to help
him out?
Thank you.

Useless at best if not harmful avoid his utter nonsense advice.
Hope you like your new name REAL TROLL RT < previously known as Mick
Murphy>.

Shame!!!
nass
---
http://www.nasstec.co.uk

"fake nass impersonator mick murphy" wrote:

> My name nass. I fix your compluter very goodly; but, not for FREE
> You click my business link below, give me money. I do very, very good job.
> Take no notice of my detracrtors here.
> .
> Credit card or cash.
>
> Click, click link: http://www.nasstec.co.uk
>
> --
> HTH,
> nass
> ----
> http://www.nasstec.co.uk
>
>
> "Jaelani" wrote:
>
> > Hello,
> >
> > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital
> > certificate viewable from their file property dialog. I know that when
> > a file's certificate is no longer valid (not expired), it means that
> > it somehow has been modified.
> >
> > Correct me if I'm wrong. But any programmer that know how to properly
> > embed a certificate can use fake names in the certificate (e.g.
> > Symantec, Google, Microsoft, etc.) or look-alike names since anyone
> > can make their own valid certificate. So my question is, how do I know
> > if a certificate really does come from the intended source? What can I
> > do to check the trustability of a digital certificate?
> >
> > Here's an example. Most users care more about the software rather than
> > the details of the company/author that made the software. The real
> > company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital
> > certificate (a fake software in this case). Unfortunately, the users
> > only know that the software was made by a company named "XYZ" and it's
> > quite well known. The result is that THAT users are victims of
> > irresponsible people.
> >
> > This case is similar to a fake but legitimate-looking website that
> > asks for user passwords.
> >
> > Could someone please enlighten me?
> > Thank you.
> >
> >
> > Regards,
> > Jaelani.
> >
 
Re: Digital certificate trustability

Jaelani <jaejunks@googlemail.com> wrote in
news:d5652609-c759-4ac5-aeb7-2f8c791119ba@m45g2000hsb.googlegroups.co
m:

> Many program files such as EXEs, DLLs, OCXs etc. have embeded
> digital certificate viewable from their file property dialog. I
> know that when a file's certificate is no longer valid (not
> expired), it means that it somehow has been modified.
>
> Correct me if I'm wrong. But any programmer that know how to
> properly embed a certificate can use fake names in the certificate
> (e.g. Symantec, Google, Microsoft, etc.) or look-alike names since
> anyone can make their own valid certificate. So my question is,
> how do I know if a certificate really does come from the intended
> source? What can I do to check the trustability of a digital
> certificate?
>
> Here's an example. Most users care more about the software rather
> than the details of the company/author that made the software. The
> real company name is "XYZ, Corp." but stated as "XYZ, Inc." in the
> digital certificate (a fake software in this case). Unfortunately,
> the users only know that the software was made by a company named
> "XYZ" and it's quite well known. The result is that THAT users are
> victims of irresponsible people.
>
> This case is similar to a fake but legitimate-looking website that
> asks for user passwords.
>
> Could someone please enlighten me?
>

Sure. Anybody can create a certificate.

But for it to be Trusted, a certificate should be digitally signed by a
company that is in the business of verifying legitimacy of the
certificate's owners. If you go to your Control Panel and look up:
Internet Options -> Content -> Certificates
There as a tab labeled "Trusted Root Certification Authorities" which
lists certificates of entities that are trusted by Windows. If a
certificate is digitally signed by one of these trusted certificates,
(and the signature verifies), then the legitimacy of the certificate is
established.

Many times in my experience, Firefox has complained that a certificate
is only self-signed (and thus not counter-signed by an authority) so I
know that I should be cautious of that certificate.

HTH,
John
 
Re: Digital certificate trustability


"Jaelani" <jaejunks@googlemail.com> wrote in message
news:d5652609-c759-4ac5-aeb7-2f8c791119ba@m45g2000hsb.googlegroups.com...
> Hello,
>
> Many program files such as EXEs, DLLs, OCXs etc. have embeded digital
> certificate viewable from their file property dialog. I know that when
> a file's certificate is no longer valid (not expired), it means that
> it somehow has been modified.
The certificate can also be revoked prior to its expiration. When you create
a certificate you also should create a revocation certificate in case the
certificate becomes compromised or in case you decide to revoke it for any
reason.
>
> Correct me if I'm wrong. But any programmer that know how to properly
> embed a certificate can use fake names in the certificate (e.g.
> Symantec, Google, Microsoft, etc.) or look-alike names since anyone
> can make their own valid certificate. So my question is, how do I know
> if a certificate really does come from the intended source? What can I
> do to check the trustability of a digital certificate?
The certificate store and the OS handle this automatically for you. You may
receive messages about untrusted publishers and execution may be blocked
until you explicitly decide to "trust" the publisher. Ultimately you can
still make the decision whether to trust the publisher or not. You may be
offered updates to the "Trusted Root Certificates" every few months.
>
> Here's an example. Most users care more about the software rather than
> the details of the company/author that made the software. The real
> company name is "XYZ, Corp." but stated as "XYZ, Inc." in the digital
> certificate (a fake software in this case). Unfortunately, the users
> only know that the software was made by a company named "XYZ" and it's
> quite well known. The result is that THAT users are victims of
> irresponsible people.
>
> This case is similar to a fake but legitimate-looking website that
> asks for user passwords.
>
> Could someone please enlighten me?
> Thank you.
>
>
> Regards,
> Jaelani.
 
Re: Digital certificate trustability

Hmm. If I understand this correctly, the most important thing to check
is the root certificate that issued the embeded certificate.

When viewing the root certicifate from the nested file property
dialogs, how do I know if it's listed as trusted root certificate? I
mean, without going to the control panel to bring up the Certificate
list.


John Wunderlich wrote:
> Sure. Anybody can create a certificate.
>
> But for it to be Trusted, a certificate should be digitally signed by a
> company that is in the business of verifying legitimacy of the
> certificate's owners. If you go to your Control Panel and look up:
> Internet Options -> Content -> Certificates
> There as a tab labeled "Trusted Root Certification Authorities" which
> lists certificates of entities that are trusted by Windows. If a
> certificate is digitally signed by one of these trusted certificates,
> (and the signature verifies), then the legitimacy of the certificate is
> established.
>
> Many times in my experience, Firefox has complained that a certificate
> is only self-signed (and thus not counter-signed by an authority) so I
> know that I should be cautious of that certificate.
>
> HTH,
> John
 
Re: Digital certificate trustability

> The certificate store and the OS handle this automatically for you. You may
> receive messages about untrusted publishers and execution may be blocked
> until you explicitly decide to "trust" the publisher. Ultimately you can
> still make the decision whether to trust the publisher or not. You may be
> offered updates to the "Trusted Root Certificates" every few months.

I use Windows XP Professional with Service Pack 2. The only warning
message about untrusted certificate publisher is when I installed a
new driver or updated the old one. I never got any warning when
running a new downloaded software which have embeded certificate. Does
this means I never encountered any untrusted certificate yet? Or
Windows doesn't check embeded certificate in EXE files?


Allan wrote:
> > Many program files such as EXEs, DLLs, OCXs etc. have embeded digital
> > certificate viewable from their file property dialog. I know that when
> > a file's certificate is no longer valid (not expired), it means that
> > it somehow has been modified.
> The certificate can also be revoked prior to its expiration. When you create
> a certificate you also should create a revocation certificate in case the
> certificate becomes compromised or in case you decide to revoke it for any
> reason.
> >
> > Correct me if I'm wrong. But any programmer that know how to properly
> > embed a certificate can use fake names in the certificate (e.g.
> > Symantec, Google, Microsoft, etc.) or look-alike names since anyone
> > can make their own valid certificate. So my question is, how do I know
> > if a certificate really does come from the intended source? What can I
> > do to check the trustability of a digital certificate?
> The certificate store and the OS handle this automatically for you. You may
> receive messages about untrusted publishers and execution may be blocked
> until you explicitly decide to "trust" the publisher. Ultimately you can
> still make the decision whether to trust the publisher or not. You may be
> offered updates to the "Trusted Root Certificates" every few months.
 
Re: Digital certificate trustability

Jaelani <jaejunks@googlemail.com> wrote in
news:bccbf93e-0c6f-4b43-8ec3-49f3cfd04d89@59g2000hsb.googlegroups.com
:

> Hmm. If I understand this correctly, the most important thing to
> check is the root certificate that issued the embeded certificate.
>
> When viewing the root certicifate from the nested file property
> dialogs, how do I know if it's listed as trusted root certificate?
> I mean, without going to the control panel to bring up the
> Certificate list.
>
>

Usually these checks are done for you by the web browser. You are
notified if something isn't right.

-- John
 
Re: Digital certificate trustability

Jaelani <jaejunks@googlemail.com> wrote in
news:bccbf93e-0c6f-4b43-8ec3-49f3cfd04d89@59g2000hsb.googlegroups.com
:

> Hmm. If I understand this correctly, the most important thing to
> check is the root certificate that issued the embeded certificate.
>
> When viewing the root certicifate from the nested file property
> dialogs, how do I know if it's listed as trusted root certificate?
> I mean, without going to the control panel to bring up the
> Certificate list.
>
>
> John Wunderlich wrote:
>> Sure. Anybody can create a certificate.
>>
>> But for it to be Trusted, a certificate should be digitally
>> signed by a company that is in the business of verifying
>> legitimacy of the certificate's owners. If you go to your
>> Control Panel and look up: Internet Options -> Content ->
>> Certificates There as a tab labeled "Trusted Root Certification
>> Authorities" which lists certificates of entities that are
>> trusted by Windows. If a certificate is digitally signed by one
>> of these trusted certificates, (and the signature verifies), then
>> the legitimacy of the certificate is established.
>>
>> Many times in my experience, Firefox has complained that a
>> certificate is only self-signed (and thus not counter-signed by
>> an authority) so I know that I should be cautious of that
>> certificate.
>>
>> HTH,
>> John

See also "Certificates Technical Reference"

<http://technet.microsoft.com/en-us/library/cc785237.aspx>

HTH,
John
 
Re: Digital certificate trustability


"Jaelani" <jaejunks@googlemail.com> wrote in message
news:a946b03a-22f2-4a23-a5a4-3ddc15a3d83f@x35g2000hsb.googlegroups.com...
>> The certificate store and the OS handle this automatically for you. You
>> may
>> receive messages about untrusted publishers and execution may be blocked
>> until you explicitly decide to "trust" the publisher. Ultimately you can
>> still make the decision whether to trust the publisher or not. You may be
>> offered updates to the "Trusted Root Certificates" every few months.
>
> I use Windows XP Professional with Service Pack 2. The only warning
> message about untrusted certificate publisher is when I installed a
> new driver or updated the old one. I never got any warning when
> running a new downloaded software which have embeded certificate. Does
> this means I never encountered any untrusted certificate yet? Or
> Windows doesn't check embeded certificate in EXE files?
>
You may be "lucky" or only download software whose publisher has used valid
certificates. Sooner or later you will encounter this and it will be your
decision as to whether to "trust" a publisher or a download from an
"unknown" publisher. Some software comes with seperate PGP signature files
that you can verify manually along with the byte count or encryption-based
checksums.

--
Allan
 
Re: Digital certificate trustability

Thank you, although that is quite way over my head.

John Wunderlich wrote:
>
> See also "Certificates Technical Reference"
>
> <http://technet.microsoft.com/en-us/library/cc785237.aspx>
>
> HTH,
> John
 
Re: Digital certificate trustability

I only consider myself as lucky when trying new softwares from a new
company/author that don't use digital signatures (more than 50%,
AFAIK). But fortunately, there are virtualization softwares which are
very useful for trying new softwares.

Allan wrote:
> You may be "lucky" or only download software whose publisher has used valid
> certificates. Sooner or later you will encounter this and it will be your
> decision as to whether to "trust" a publisher or a download from an
> "unknown" publisher. Some software comes with seperate PGP signature files
> that you can verify manually along with the byte count or encryption-based
> checksums.
>
> --
> Allan
 
Back
Top