dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1993
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz

Re: Mozilla: Revoking Trust in Two TurkTrust Certificates

i mentioned this in the mozilla sub-forum..after installing FF 18, i don't see that the certificates in question were added to the list of other untrusted certificates, under "servers", so, as far as i can tell, to me, it looks like mozilla failed to "revoke trust" for the certificates that were suppose to have their trust revoked..

like others, i had to manually disable trust for the two "turktrust" certficates that are included in the list of valid certficates, under "authorities"..



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

Click for full size
Click for full size
Click for full size
said by redwolfe_98:

i mentioned this in the mozilla sub-forum..after installing FF 18, i don't see that the certificates in question were added to the list of other untrusted certificates, under "servers", so, as far as i can tell, to me, it looks like mozilla failed to "revoke trust" for the certificates that were suppose to have their trust revoked..

like others, i had to manually disable trust for the two "turktrust" certficates that are included in the list of valid certficates, under "authorities"..

I deleted the certs altogeter.
After updating to ff18, they are back but with no check boxes.
Guess I'll delete them again.

The certs listed in the "servers" column all say "do not trust".
Is that normal?


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by Cartel:

... The certs listed in the "servers" column all say "do not trust".
Is that normal?

Could it be that those certs are all actually set to "trust", but the prompted default trust option (if you select "edit") will always be the opposite of what the cert currently is on the assumption you will be wanting to edit or change it?
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to StuartMW

Thank you stuartMW for explaining that since they are built in I should untick them. (I also had the problem of highlighting the title.)

Am I suppose to be doing anything about the two different certificates I found in IE? I imagine everyone has them.

Sincerely, Libra



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Microsoft has a patch for the IE ones. You should get them via Windows Update.

»Microsoft untrusted certificate store update (Dec 31st)
--
Don't feed trolls--it only makes them grow!


Libra
Premium
join:2003-08-06
USA
kudos:1

Thank you. I'll keep my eye out for it - that might be the one listed in the Event Viewer!

Sincerely, Libra



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2



Well if you have the update installed you'll see that the two certs are untrusted.
--
Don't feed trolls--it only makes them grow!


Khaine

join:2003-03-03
Australia
reply to chachazz

SSL certificates are clearly a market failure. The Government should step in and start regulating this industry, by enforcing clear security requirements for any organisation who issues certificates.

The Australian Government has a framework for it's own Department's who issue certs, with annual certification requirements. Something similar should be extended for commercial entities.


Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to StuartMW


Untrusted publishers

continued

I don't see Turktrust listed anywhere?
I don't understand this. I have the roots certificate in Event Viewer:

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 1/9/2013 12:20:20 PM
Event ID: 16
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: -PC
Description:
Successful auto update of disallowed certificate list with effective date:: Monday, December 31, 2012 6:50:01 PM;.
Event Xml:

16
0
4
0
0
0x80000000000000

21788

Application
MyVista-PC

Monday, December 31, 2012 6:50:01 PM

This is the Certificates Untrusted Publishers of IE:

Could Defense Wall prevent this certificate operation?

Sincerely, Libra

P.S. Thank you for the screenshot.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

Not sure what the issue is. Are the certs under one of the "trusted" tabs?

If they're not anywhere at all then by default they'll be untrusted.
--
Don't feed trolls--it only makes them grow!


Libra
Premium
join:2003-08-06
USA
kudos:1

Thank you. I'll check that.


Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS

I just checked. Under Trusted Root Certificate Authorities, I have 5 Turktrusts listed. Three are for Serificat Hizmet Sag (bad one) and two are for Electronik Islem Hiz. Under Trusted Publishers I have nothing listed.

I don't think Defense Wall is behind this because I just checked another computer (7 64bit) and it also had the event showing the disallowed certificates updated and when I view IE 8 I have the same results as listed above. Defense Wall isn't on that computer.

It would be nice if these roots certificates worked as designed.

Sincerely, Libra


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

libra, maybe you are confusing things.. this thread is about mozilla's supposedly removing the trust for some-or-all turktrust certificates.. what you are looking at, it seems, is the certificates for "IE", for "internet explorer"..

here is MS's advisory regarding the "bad" turktrust certificates:

»technet.microsoft.com/en-us/secu···/2798897

if you installed the certificate-update for IE, mentioned in the MS-advisory, you should see these added to IE's "untrusted publishers" (see the last entry in the advisory's FAQ's):

(1) *.google.com *.EGO.GOV.TR

(2) e-islem.kktcmerkezbankasi.org TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

(3) *.EGO.GOV.TR TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

that is all there is to it.. the three entries, posted above, should be included in IE's "untrusted publishers"..

with "firefox", again, it appears that mozilla failed to do anything about the bad turktrust certificates.. all you can do is edit-and-disable the "trust" for the two turktrust certficates, and hope that, one day, mozilla will get a clue as to which way is up..


Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS

I am definitely getting confused. I did change the two certificates in Pale Moon to untrusted. I don't have the three certicates you listed in IE as untrusted. I believe the untrusted list is being updated by what is listed in the Event Viewer.

I just made a copy of the instructions to view the certificate store in a snap in. I'll try that out on this computer later (I don't know the runtime on the other two to know if the instructions are the same.)

I appreciate your help with this.

Sincerely, Libra


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

libra, here is a link to a MS webpage with links for downloading the update for the revoked certificates.. just download and install the "update" that is appropriate for your computer, depending on which windows operating system you are using:

»support.microsoft.com/kb/2798897


Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS

Thank you, thank you, thank you I installed that update and now I show the three untrusted publishers.

I still find it odd that Event Viewer said they were put into the computer. But I'm quite happy, with your help, to have them now listed.

I put the update on a flash drive and I'll run it on my other two computers.

Again, I appreciate your help. (I wasn't looking forward to trying to access that snap in.)

Sincerely, Libra