dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4774
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to Mele20

Re: Adobe's code signing certificate has been stolen

said by Mele20:

From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20
Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003

Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store

»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to StuartMW
Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game
said by Name Game:

As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird See Profile said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM
I would assume if you were on a sever and the IT guys had it set up..you might not be able to install it or would get a warning.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20
said by Mele20:

The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.

cert ==> use to create digital signature

cert != digital signature
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

3 edits
reply to Mele20
my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.

It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff..


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20
said by Mele20:

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...

+100



--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Name Game
I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
Purpose for that one is to attest the thing was signed with the current time.

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to MagnusM
the "certificate" is expired.. i am not sure what this means, or what it indicates..

i have "flash player build 10.3.183.25" which is timestamped 9/16/2012..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
It indicates just what the info states;

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

And I assume you downloaded and installed it before 10/1/2012

AND you know where it came from.

is that the IE or non IE version ?

»www.oldapps.com/flash_player.php···yer=8243
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to MagnusM
I am ready for HTML5 to become ubiquitous so that everyone can dump Flash once and for all. There are already free and open codecs out there for the audio/video decoding.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
I see it as a backup not a replacement

»en.wikipedia.org/wiki/Comparison···nd_Flash


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 recommendation

said by Name Game:

I see it as a backup not a replacement

»en.wikipedia.org/wiki/Comparison···nd_Flash

Well the problem are the non-free codecs. The HTML5 specification originally listed the codecs to be used (Ogg/Theora). Of course this pissed off all the companies looking to make a dollar off their compression patents. And then you have M$ being M$ and refusing to support open formats in IE (all it supports is H.264). Meanwhile Firefox, Chrome and Opera all support WebM and Ogg/Theora. Google said they plan to drop support for H.264 all together in Chrome (which caused a lot of consternation from M$ bloggers).

This leaves IE and Safari as the only two major browsers not to support the free codecs.

Apple is actually on Google's side too, but they are afraid of patent trolls waiting to sue over the use of Theora/WebM, etc. Indeed Steve Jobs said publicly he is tired of Flash and wants to see HTML5 replace it. However, Apple does not want the HTML5 specification to require any specific codec. (And Apple has a point, as HTML does not specify image formats, for example). Therefore, Safari still only supports H.264 as of now.

Google purchased On2 which is a company that developed a competing codec known as VP8. On2 did this behind closed doors, so it was essentially just as closed and proprietary as H.264. But then Google bought them. What did Google do? They opened the source-code and made the codec royalty and license free (now known as WebM). Mozilla and Opera gave their full support to this move as did the Free Software Foundation.

So it all boils down to everyone having their own interests. It is not a technological problem at all. Ogg/Theora/WebM are fully capable of providing high quality audio/video over the web. It's more about trying to get various companies to stop treating free and open formats as the devil.

But we will probably be stuck with a bunch of competing formats for a number of years to come. A lot of sites may adopt HTML5 but many wont. So it will boil down to what your browser supports.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game
said by Name Game:

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

Exactly.

And to get back to the original topic the fact that a legitimate Adobe certificate was used to sign malware is important because

1) The package seems to originate from Adobe.

2) The package was not altered.

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

--
Don't feed trolls--it only makes them grow!


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
said by StuartMW:

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

only if revoked
--
--Standard disclaimers apply.--


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM
Post please if you personally first check the certs from any Adobe product before you install it.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it.

it isn't automatic?
--
--Standard disclaimers apply.--


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
said by AVD:

said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it.

it isn't automatic?

In most cases signature verification of a certificate against known certificate authorities is automatic since this can be done against a locally stored list of trusted CAs. Checking of CRLs (certificate revocation lists) is usually not automatic since it requires Internet access.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
that may be the default


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to AVD
said by AVD:

said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it.

it isn't automatic?

NO.. and i did not generalize that question..I am talking about Adobe and these updates they give specifically.

Certificates

Using Certificates for Code Signing

Certificates can also be used to verify the authenticity of software code that you download from the Internet, install from your company intranet, or purchase on CD-ROM and install on your computer. Unsigned software—software that doesn’t have a valid software publisher’s certificate—can pose a risk to your computer and the information you store on your computer.

When software is signed with a valid certificate from a trusted CA, you know that the software code hasn’t been tampered with and can be safely installed on your computer. During software installation, you’re prompted to verify that you trust the software manufacturer (for example, Microsoft Corporation). You might also be offered the option to always trust software content from that particular software manufacturer. If you choose to trust content from the manufacturer, its certificate goes into your certificate store and other software installations of its products can occur with a circumstance of predefined trust. In the circumstance of predefined trust, you can install software from the manufacturer without being prompted to indicate whether it’s trusted; the certificate on your computer states that you trust the manufacturer of the software.

»technet.microsoft.com/en-us/libr···805.aspx
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to AVD
said by AVD:

that may be the default

I'm sorry if I was unclear but I did mean default behavior. I remember seeing a site that had a nice overview showing which software did not implement CRL checking at all and which software supported CRL checking but had it disabled by default (I'm not sure if there was any that had CRL checking enabled by default).
Of course, I can't find it now

Another issue related to CRLs (not applicable to the current topic) is whether only the presented certificate is being checked or whether all the certificates in the signing chain are checked for revocation as well (should you still trust a certificate if the intermediate or root CA certificate was revoked ?).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

Adobe also revoked a certificate in Sept. 2010 (Thawte, ser.no 026c21adeccb1c1987a5d38ce24167ce). Used on a malicious CAB file.

Since I'm digging...another Adobe cert (UTN-USERFirst-Object, ser. no 00E7817F8DBDB2740D495EFAB67DB867A4) revoked in 2007. Malware.

»twitter.com/aelgum/status/253496875859202048

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game
That's what IE does. Don't assume other browsers do what IE does.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
said by Mele20:

That's what IE does. Don't assume other browsers do what IE does.

Does what ?

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I wish the forum software would let us add "auto quote" to a post when we edit that post. I didn't auto quote you and saw that was a mistake AFTER I posted and then I couldn't add auto quote when I tried to edit the post. So, I just left it confusing.

Not all browsers handle a certificate store like IE does.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
OK well the stores are a function of the OS for downloaded software.. I guess you means the certs for various secure website one visits..

»dev.chromium.org/Home/chromium-s···a-policy

»www.poweradmin.com/help/sslhints/Chrome.aspx

»superuser.com/questions/347588/h···ins-work

I think Opera has a Certificaterevocationlistsforssl thing for those cases and found here opera:config#SecurityPrefs|Certificaterevocationlistsforssl
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Mele20
said by Mele20:

I wish the forum software would let us add "auto quote" to a post when we edit that post.

I use this trick. I start editing the post without quotes, Then I open another tab/window and do a reply/quote on the post I'm replying to, Then I copy'n'paste
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
That is a good idea.....if I can remember it!