PART 4 of LAYERED SECURITY
INSTALLATION OF SIGNING AND TRUST CERTIFICATES
An overly simplified non-technical presentation, but it should supply the necessary basic explanation.
For technical discussions and information, proper installation routines in NT based OSs, and other not found here, do an Internet search and use Microsoft's Tech Net and Knowledge Base.
Try these:
Working with Certificates - MSDN printer friendly
version
IE Blog on MSDN
931125 -
Microsoft root certificate program members (January
2007)
General Search - Root Certificates on MSDN - This will supply
the Microsoft provided details necessary for various OS
installations, usage, tools, and related.
Though I lightly touched upon this elsewhere, we need to deal with some very real and potentially dangerous issues related to these certifications/signing certs. Any currently supported Microsoft operating system should be receiving periodic updates to its root certificates. For unsupported OSs, the issue becomes what or how to install any certificates into the unsupported environment.
REFERENCE discussion on News Group:
microsoft.public.win98.gen_discussion
discussion: root certificates in w98
Please refer to/search for this discussion for the
relationships/aspects.
From what has been already posted and discovered, we can see that the "Chicago" version [Win9X, perhaps ME] of the download from the link I had previously supplied and is the basis in this discussion, coincides with the version presently being supplied to XP users.
The links referenced:
4702.htm What the file/update is
rootsupd.exe - the 9X Root Certificates update
Reasonably, we could presume that it likely contains the same updates and deletions that were in the XP version, as Microsoft produced, posted, and presented the file, and XP [per this date of 04/17/07] shows the same VERSION="11,0,2195,0" [see the discussion: root certificates in w98].
If you are personally interested, there should be a cached version on your XP system [unless you turned it off or reset a setting or two], though I'll not provide where or how.
OR,
If interested you could export/view the available certs in each OS and cross compare. The differences would come from any you have installed for personal use, such as for your company related activities, and sites/certs YOU THOUGHT were trustworthy [you installed or allowed to be installed], and whatever the newer update removed or added.
Another way is to check these:
Checking within the other OSs file [9X is rootsupd], does it have exactly the same files as from the link provided?
Such as:
win95inf16.dll and win95inf32.dll;
advpack.dll version - 6.00.2600.0000
and the rootsupd.inf including this taken from the .inf:
[Version]
Signature = "$Chicago$"
Provider = %Msft%
AdvancedINF = 2.0,%AdvPack%
...
VERSION="11,0,2195,0"
Ver="011"
...
; Don't change this -- this is our unique GUID
GUID={EF289A85-8E57-408d-BE47-73B55609861A}
; Don't change these either
COMPID=Windows Roots Update
COMPName=RootsUpdate
; Same set of roots for all locales
LANG=*
- - -
You can also check this/these KEY(S) in the Hives/Registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed
Components\{EF289A85-8E57-408d-BE47-73B55609861A}
AND,
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
The above indicates the rootsupd is for Win9X and the registry keys affected. Interestingly, the file was created around 01-31-07, and placed upon the download link [9X is unsupported], so this is quiet support from Microsoft in a fashion.
Installation of certificates also brings with it, the indication of the potential problems with any other posted *certification* trust collections, or individual site installations.
EXAMPLE: USING SECURED EMAIL CERTIFICATIONS INSTALLED:
Your system would have - private access - certificates installed, which if you publish them, could or more accurately would land you in legal trouble. Though likely you have some ability [authorized usage] to export them for company related use such as in another OS or client [check whether you are authorized first], you do NOT have authority to publicly expose them, or offer them to others.
The other aspect floats in this fashion, let's think of this from a hacker's view:
In this, the attacker adds a few certifications to the root trust base which would allow them to install or use their hacks upon anyone's system who had installed that version of root certifications or installed on-site certs. Any number of potential issues then become a very real possibility, as these activities would be checked against the root base [and/or other installed certs] and be found as signed, trusted, and usable/runnable activities. If you review inside the base you will find that it contains the type/style of activity it is supposedly signing/trusting, e.g., the activities allowed upon your system.
REMEMBER:
Activities which use ActiveX, Direct Play, Java, Flash, and at times scripting [amoung other potentials] is or should be checked against the certification base. If the activity comes as allowed via the base [installed trust certs], the activity would not necessarily be stopped by any security settings, anti-virus, or anti-Spyware programs upon the target computer, network, server, or other. For instance: Sun's Java {if I remember correctly} installs an additional base of signed/allowed activities [its own trust base for Java activities]. NT based systems have increased abilities to control, but can still be compromised.
Continuing with the secured email aspect:
You were allowed certs installation to access SECURE email via SSL [think Secure Socket Layer], which is one of the supposed MOST trusted activities on the Internet or network.
Let's say for review, that you had also installed fake SSL certificates [or other signed and related certs] from some hacker. So accessing the secured site using this faked certification [or the other hack certs] would seem to be protecting you from attacks which may include: ID theft; bank account numbers; pins; passwords; etc., however, in reality you are providing that information directly to the hacker, if/when *hooked* through some BHO or other code/server side include/etc., because your signing/trust base has been compromised and allows this activity.
In this instance, the company's protected and secure email may be exposed, or the hack keys be used in conjunction with actual trusted keys [keys being trusted activities], to authorize access to other areas of the company's system via the SSL and some server code or other installed hack. Or potentially, every trusted aspect of your system and activity could be transmitted, or used. Any activity which needs authorization from these certificates would receive it.
There are other numerous other aspects, but much more than this, and I would be supplying beginning hackers with information they shouldn't have.
THEREFORE, always make sure you check EVERY installation of signing/trust certificates. NEVER install any from untrusted or questionable sources, unless you are absolutely sure you can trust it. YOU will then be responsible for any and ALL activities related to those installed certs and what they potentially can do to your system and/or network.
IF/WHEN accessing a site which attempts to install a new trust certificate, make sure you check ALL aspects of the cert BEFORE installing it. To check the certification, use the install tool [Security Pop-up or other browser or OS tool] and its included viewing mechanism to check for:
- 1. who signed it;
- 2. whether it is valid;
- 3. has it been issued by an authorized or trusted authority;
- 4. includes privacy and/or other inclusions, and what those are, and what they mean;
- 5. if anything noticed from the above seems untrustworthy, do not install it.
You can choose different formats to export some of the data, do that. Review that information carefully.
You can generally enter the site/area without installing the certificate [click through], though I would recommend copying the above information and checking the Internet for any problems or issues BEFORE entering, and particularly before installing the certificate. Remember, you authorised entry and use on that site, and you are at the site's mercy.
OR preferably,
If you can download the certificate instead, do so. You can also check your - Temporary Internet Files - folder/directory for the file, before leaving the site, should it be already downloaded there. This gives you the opportunity to pull-apart the file(s) [hex view, resouces, etc.], and check all its containments.
If downloaded and/or saved, and in the .cer file extension, and AFTER checking it carefully, you can - right click - the file and it should show - Install Certificate -[Win9X], use that to install it. If not, just re-access the site and install from there.
NT based systems would likely require [and should require] administrator access for this system installation. See the MSDN search query link above for the various NT operating systems and servers, and what must be followed.
IN SUMMARY
This aspect is an area which only you or your company/business
policies can control. It has numerous benefits, but also the
potential to be EXTREMELY dangerous to your security. This is
[part of] the BASE TRUST used within the system/network.
Make sure you know exactly what you're doing and allow; do not
blindly trust or install any questionable certificates and/or
certifications, and make sure to check for any revoked or
compromised certificates/certifications. This is the trust basis
for your system, when compromised, you will have little
control.
Other Parts of Layered Security necessary for Internet
usage.
SEE:
FIREWALLS - WHY YOU NEED ONE AND WHAT TO DO
SEE:
Anti-spyware programs as part of Layered Security
SEE:
ANTI-VIRUS Programs as part of your Layered Security
SEE:
GENERAL WINDOWS NETWORKING DIAGNOSTICS AND SETUP
SEE: Diagnosing
Windows problems - Part 1
SEE: Part
2 - Diagnosing Windows Problems
After support end information for 98
SEE: END
OF SUPPORT FOR WINDOWS 98 AND MILLENNIUM. WHAT DO I DO?
SEE:
Manually updating a new installation of Windows 98SE