Page 1 of 3 123 LastLast
Results 1 to 15 of 31
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    228
    Thanks
    0
    Thanked 9 Times in 8 Posts

    Certificate cleanup for most personal computers




    TOP STORY

    Certificate cleanup for most personal computers


    By Susan Bradley

    A little Dutch company potentially lets a flood of problems into our Windows machines.

    The company manages digital certificates; after its recent break-in by hackers, security certificates for Mozilla, Yahoo, WordPress, and other sites are now suspect.

    The full text of this column is posted at WindowsSecrets.com/top-story/certificate-cleanup-for-most-personal-computers/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    An excellent post Susan and one that XP users should take notice of.

    I've been tracking the publicity surrounding DigiNotar's breach for a few days and I find it utterly shocking that the original breach occurred months ago but they did nothing about the problem and subsequently issued over 500 fraudulent certificates.

    What does that mean? Well for machines with the bogus DigiNotoar certificates installed, one could browse to a spoofed site and have no indication that it was compromised. Worse, man-in-the middle attacks have allegedly already been mounted on thousands of Gmail accounts as a result. The cat is well and truly out of the bag and many other fraudulent certificates for Yahoo, Microsoft, Aol, Worpress, Logmein, Facebook and many others and others have also been issued. See this disclosure post and its attachment listing the bogus certificates.

    I strongly urge anyone running XP to follow Susan's post and manually revoke DigiNotar's certificates. Vista and Win7 machines should automatically revoke the certificates, but even then people should update their browsers to be sure of locking out any of the fraudulent certificates. A big hole in the protection and cleanup process is Apple, who are silent on what is being done to protect their users. That discussion point is however perhaps left for a different forum.

  4. #3
    New Lounger
    Join Date
    Aug 2010
    Location
    San Antonio
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This cetificate problem I believe caused major havoc with me. Over the weekend cyber criminals wiped out my checking account and I am still $250 in the hole. Sure the bank will make good but it is a hassle. I installed the MS patch to remove the certificate and it was still there (even after reboot). Following what Susan mentioned I manually removed it and ignoriing what MS tried to warn me about.

  5. #4
    Star Lounger
    Join Date
    Oct 2002
    Location
    Blue Mountains, New South Wales, Australia
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Frustrating - I cannot see how to install the KB patch without installing Windows Genuine Advantage tool. I am nervous about this as potential spyware from Microsoft. Is there some other way of getting the KB update?

  6. #5
    New Lounger
    Join Date
    May 2011
    Location
    Liberty Hill, TX
    Posts
    8
    Thanks
    0
    Thanked 2 Times in 2 Posts
    certs.jpg

    I installed KB2607712 yesterday, took a look at my Trusted Root Certificates this morning and there are still 2 DigiNotar certs there. I thought the patch was supposed to remove them?

  7. The Following User Says Thank You to korollyn For This Useful Post:

    franky5 (2011-09-08)

  8. #6
    New Lounger
    Join Date
    Sep 2011
    Location
    Florida
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    After installing kb 2607712 & restarting (3) xp machines, the diginotar certs were still there. In (2) win 7 machines, these certs had been moved to 'untrusted' certs (there were 6 diginotar certs in all). It's not clear what kb 2607712 is supposed to do, since it didn't remove any of these certs in my xp and win7 machines. Anyone else have this problem?

  9. #7
    New Lounger
    Join Date
    Jun 2010
    Location
    Moneta, VA
    Posts
    1
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Certificate cleanup-KB 2607712 Did not remove

    Susan,
    I installed KB 2607712 on Wednesday, 9/7, and did the reboot but when I followed your instructions this morning the DigiNotar certificate was still on my computer (Windows XP). I guess the patch didn't work 100%. Your instructions did clean it up, however.

  10. #8
    New Lounger
    Join Date
    Dec 2009
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Certificate cleanup-KB 2607712 Did not remove

    FYI.

    On XP (SP3) machine, Digitar Root CA certificate was still present after install of KB. Total of five Digitar certs were listed in "untrusted publisher" list. Not prompted for restart, so I did one anyway and still showed in trusted list.

    Removed straggler from Trusted list, rebooted and it was still gone and all five remained in "untrusted publisher" list.

  11. #9
    New Lounger
    Join Date
    Sep 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Installed the Kb. Went to IE and still found 2 certificates from Digitar but the only options that were availabe were to import or export. The remove button was not highlighted and could not be accessed. I have a win7 os and IE9.

    Any suggestions??? Thank you

  12. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    West Virginia, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    KB 2607712 Did not remove DigiNotor Certificates

    Same here. Installed the KB and it added 5 DigiNotor certificates to the Untrusted Publishers tab but did not remove the two DigiNotor certs from the Trusted Root Certification Authorities tab. If they are in the Untrusted tab does that negate the ones in the Trusted tab or do I need to remove them from there as well? Plan on removing them just to be safe, but I was just wondering.

  13. #11
    New Lounger
    Join Date
    Feb 2010
    Location
    Western Kentucky
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    XP easier way to remove the certificates?

    Right click on your IE icon on the desktop, select properties... then select the Content tab... half way down select the Certificates button....in the certificates listing area, tab the menu to the right to "Trusted Root Certification Authorities" and select it. Then scroll down the list of certificates and if the suspected Diginotar entries are listed, select them and press the remove button. This was a little quicker for me and I believe accomplished the same thing since I'm doing more then 1 computer. With Win7, will have to open IE , then select the tools icon (alt+x) and goto internet options, then basically do the same thing as above to check if removed or not.

  14. #12
    New Lounger
    Join Date
    Sep 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    In my WXP SP3 PC, I had 1 DigiNotar cert in Firefox, and per suggestions in various articles, I updated FF (from 3.6.20 to 3.6.22), and now there are 6 DigiNotar certs in FF!! Also, as others mentioned, here is my experience with IE: The Windows Secrets article includes WXP in the list of OSs that would be cleaned up with KB update 2607712, but it gives the manual methods also for WXP, so I’m assuming there is an error in Susan Bradley’s article since the Windows update did NOT remove the DigiNotar root cert: DigiNotar Root CA, Expiration 5/14/2027. I did find 5 DigiNotar Certs in the Untrusted Publishers store (although I didn’t look there before the MS KB update 2607712). I will remove the DigiNotar cert in IE manually; however, I'd appreciate knowing what others experienced with the Firefox update.

  15. #13
    New Lounger
    Join Date
    Sep 2011
    Location
    Las Vegas, NV
    Posts
    8
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you for the information. I just read the post on Cnet about the compromise of "GlobalSign". Looks like something everyone needs to keep check on by keeping up to speed with the most recent available security news. Thank you again for the information.

  16. #14
    New Lounger
    Join Date
    Jun 2010
    Location
    Fort Worth, TX
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Trusted Security Certificates root certificates

    Susan Bradley's article about removing root certificates, presented another twist fo ther view of my computer's certificates. About one third of the certificates were outdated, yet they remain in the system.

    How can I determine what should remain- if any of the outdated certificates? Some were expired as early as 1999.

  17. #15
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    524
    Thanks
    195
    Thanked 2 Times in 2 Posts
    Reading the comments about kb2607712 not removing the offending entries I tried to manually delete any on the wife's PC, but frustrated as Vista doesn't have a 'run' command and search was unable to locate mmc.exe.

    None found on my XP machine

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •