 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| reply to Mele20
Re: Adobe's code signing certificate has been stolen said by Mele20:From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.
Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming 
--
Don't feed trolls--it only makes them grow! |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Mele20
Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003
Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.
For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store
»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to StuartMW
Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise. 
As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to Name Game
said by Name Game:As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.
Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird  said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to MagnusM
I would assume if you were on a sever and the IT guys had it set up..you might not be able to install it or would get a warning. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to Mele20
said by Mele20:The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.
I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.
cert ==> use to create digital signature
cert != digital signature
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
3 edits | reply to Mele20
my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.
It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff.. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to Mele20
said by Mele20:As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...
+100
--
Don't feed trolls--it only makes them grow! |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | Purpose for that one is to attest the thing was signed with the current time.
The adobe cert purpose was to..
. Ensures software came from the software publisher
and
. Protects the software from alteration after publication |
|
| reply to MagnusM
the "certificate" is expired.. i am not sure what this means, or what it indicates..
i have "flash player build 10.3.183.25" which is timestamped 9/16/2012.. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | It indicates just what the info states;
. Ensures software came from the software publisher
and
. Protects the software from alteration after publication
And I assume you downloaded and installed it before 10/1/2012
AND you know where it came from.
is that the IE or non IE version ?
»www.oldapps.com/flash_player.php···yer=8243
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
| reply to MagnusM
I am ready for HTML5 to become ubiquitous so that everyone can dump Flash once and for all. There are already free and open codecs out there for the audio/video decoding. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | I see it as a backup not a replacement
»en.wikipedia.org/wiki/Comparison···nd_Flash |
|
| Well the problem are the non-free codecs. The HTML5 specification originally listed the codecs to be used (Ogg/Theora). Of course this pissed off all the companies looking to make a dollar off their compression patents. And then you have M$ being M$ and refusing to support open formats in IE (all it supports is H.264). Meanwhile Firefox, Chrome and Opera all support WebM and Ogg/Theora. Google said they plan to drop support for H.264 all together in Chrome (which caused a lot of consternation from M$ bloggers).
This leaves IE and Safari as the only two major browsers not to support the free codecs.
Apple is actually on Google's side too, but they are afraid of patent trolls waiting to sue over the use of Theora/WebM, etc. Indeed Steve Jobs said publicly he is tired of Flash and wants to see HTML5 replace it. However, Apple does not want the HTML5 specification to require any specific codec. (And Apple has a point, as HTML does not specify image formats, for example). Therefore, Safari still only supports H.264 as of now.
Google purchased On2 which is a company that developed a competing codec known as VP8. On2 did this behind closed doors, so it was essentially just as closed and proprietary as H.264. But then Google bought them. What did Google do? They opened the source-code and made the codec royalty and license free (now known as WebM). Mozilla and Opera gave their full support to this move as did the Free Software Foundation.
So it all boils down to everyone having their own interests. It is not a technological problem at all. Ogg/Theora/WebM are fully capable of providing high quality audio/video over the web. It's more about trying to get various companies to stop treating free and open formats as the devil.
But we will probably be stuck with a bunch of competing formats for a number of years to come. A lot of sites may adopt HTML5 but many wont. So it will boil down to what your browser supports.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to Name Game
said by Name Game:The adobe cert purpose was to..
. Ensures software came from the software publisher
and
. Protects the software from alteration after publication
Exactly.
And to get back to the original topic the fact that a legitimate Adobe certificate was used to sign malware is important because
1) The package seems to originate from Adobe.
2) The package was not altered.
The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.
--
Don't feed trolls--it only makes them grow! |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by StuartMW:The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.
only if revoked
--
--Standard disclaimers apply.-- |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to MagnusM
Post please if you personally first check the certs from any Adobe product before you install it.  |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by Name Game:Post please if you personally first check the certs from any Adobe product before you install it.
it isn't automatic?
--
--Standard disclaimers apply.-- |
|
 leiboldPremium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:6
·SONIC.NET
| said by AVD:said by Name Game:Post please if you personally first check the certs from any Adobe product before you install it.
it isn't automatic? In most cases signature verification of a certificate against known certificate authorities is automatic since this can be done against a locally stored list of trusted CAs. Checking of CRLs (certificate revocation lists) is usually not automatic since it requires Internet access.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! |
|
