Results 1 to 11 of 11
  1. #1
    iNET Interactive
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    723
    Thanks
    11
    Thanked 71 Times in 56 Posts

    Getting a handle on security certificates




    TOP STORY

    Getting a handle on security certificates


    By Susan Bradley

    We rely on SSL certificates for safe Web surfing and secure online transactions; but how many of us understand the issues surrounding security certs — or those related error messages? Here's what you need to know about SSL certificates — and how update KB 2661254 helps solve certificate problems.

    The full text of this column is posted at windowssecrets.com/top-story/getting-a-handle-on-security-certificates/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    Viola, Delaware, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Exclamation Certificate size vs encoding key size

    " you'll see that the browser has a cipher strength of 256 bits — significantly fewer than the 1024 bits we now require for SSL certificates"

    The certificate's public key's size has nothing to do with the 'cipher strength'. The certificate's public key is
    a large prime number and should be big enough to make it hard to find the related private key. Deriving the private key allows the creation of bogus certificates but so far it's been easier to steal private keys.

    The cipher key size is used to encode the data has no relationship to the certificate's public key size and we are not being cheated as a result. I would trust a strong 256 bit cipher over the weaker 1024 bit certificate.

    "
    it's inadequate to protect certificates." - nothing but the size of the public key protects the certificates since they are sent in plain text during the SSL/TLS handshake.

    "But why stop at 2048-bit encryption? Why not double that? Or triple it?"

    This is regulated by US export limitations on cryptography by the US departments of Commerce and State and not necessarily by computing capacity.

    There are stronger unfettered crypto libraries written outside the US which US companies can't use in their own products for export. It's all kind of silly.

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Tampere, Pirkanmaa, Finland
    Posts
    3
    Thanks
    0
    Thanked 1 Time in 1 Post
    In the typical twisted Microsoft fashion, evidenced in coding samples where comparisons are written in inverted order (3 == x), the question in the mixed-mode page security warning is inverted: "do you want to view ONLY the webpage content that was delivered securely?" Susan's suggested answer (she gives no reason why she recommends it and presents the consequences of that choice wrong) leads to ALL CONTENT being shown and is often the correct answer. The default answer of Yes means to skip non-secure content and is the safest option, of course. But it may miss crucial parts of information that is why you went to the broken page in the first place.

  4. The Following User Says Thank You to stedi For This Useful Post:

    BruceR (2012-11-22)

  5. #4
    Star Lounger
    Join Date
    Jan 2010
    Location
    Toronto, ON, Canada
    Posts
    50
    Thanks
    4
    Thanked 0 Times in 0 Posts
    OK - I've been putting off this conversation for a long time, because it's hard to post something that points to you being too dumb to live.

    Thing is, I just haven't updated my system regularly for more than a decade since I've got programs I run that are probably from the mid 90s that I still like to use and updates just can mess my system up royally.

    So when something like this comes along where I know I should do it, I don't know how.

    If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

    Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?

    Thank you so much . . .

  6. #5
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,838
    Thanks
    88
    Thanked 347 Times in 312 Posts
    Quote Originally Posted by cybercrone View Post
    If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

    Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?
    After the KB 2661254 link, click on Suggested Actions, then the link where it says See Microsoft Knowledge Base Article 2661254 for download links to the update packages.

    Bruce

  7. #6
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,327
    Thanks
    139
    Thanked 117 Times in 100 Posts
    Quote Originally Posted by cybercrone View Post
    OK - I've been putting off this conversation for a long time, because it's hard to post something that points to you being too dumb to live.

    Thing is, I just haven't updated my system regularly for more than a decade since I've got programs I run that are probably from the mid 90s that I still like to use and updates just can mess my system up royally.

    So when something like this comes along where I know I should do it, I don't know how.

    If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

    Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?

    Thank you so much . . .
    If you have legacy software which you really don't want to mess with (which I can understand completely) you really do not want to use the same physical (or virtual) OS to do anything online for which security may be an issue. Susan's patching advice will be of no use to your situation, even if you can get this one patch downloaded and installed. The one patch alone will do nothing to make your otherwise unpatched OS safer to use at secure websites.

    Your choices include:

    >You can continue to use the machine which does not get updated, and risk your online security. Unacceptable!

    >You can convert the older configuration which you do not want to update to a Virtual Machine (or Virtual Hard Drive in Windows 8 Pro) and run it inside a secure OS. This (if you can do it) is reasonably safe, but you would still not want to do anything requiring secure connections from the Virtual OS. For those sites, connect through a fully patched Host OS and its browser. Save the Legacy Virtual OS for those tasks which require the older software which cannot be updated.

    >Or you can multiboot, but remember, one side of a multiboot can often see the other side and make changes. Hiding the non-active partition may help, but it is not failsafe. I do multiboot, and have not had issues with security problems jumping from the newer (more secure) OS to the older (out of date) OS. Your mileage may vary.

    Of these methods, probably the easiest and safest would be to get a new computer with an OS and software you will faithfully update, and use that computer for sensitive transactions. Second-easiest is to mount the old OS as a Virtual Machine/ Virtual Hard Drive into a newer OS which will be faithfully updated. And use the newer OS for secure sites.

    Mutlibooting, and possibly using a second physical hard drive for the second OS, is more complicated, but might actually in this case yield the best results. Keeping the more vulnerable OS on a separate physical drive should minimize any chance of cross-contamination, and will still allow reasonably fast boot times and smooth switching between the two OSes. If the more modern OS supports UEFI Fast-Booting, the transition may be faster still.

    Anyway, that's what I would suggest if you have an OS with software which cannot be updated. Maybe someone else has a better suggestion.
    Last edited by bobprimak; 2012-11-23 at 13:50.
    -- Bob Primak --

  8. #7
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,838
    Thanks
    88
    Thanked 347 Times in 312 Posts
    Quote Originally Posted by cybercrone View Post
    ... and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.
    Susan insists on putting a space between KB and the number. Microsoft insists on not doing so. I believe they conspire to mess with our minds.

    Bruce

  9. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Shawnee Mission, Kansas, USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security Warning Advice

    As mentioned below by cybercrone, the message shown in Figure 5 of Susan's latest column is confusing at best. The recommendation to select No appears to have the opposite of the desired result. A careful reading of the message would indicate that Yes will be a more secure choice. Has Microsoft documented this cryptic action anywhere?

  10. #9
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,838
    Thanks
    88
    Thanked 347 Times in 312 Posts
    Quote Originally Posted by DanMcC View Post
    As mentioned below by cybercrone, the message shown in Figure 5 of Susan's latest column is confusing at best. The recommendation to select No appears to have the opposite of the desired result. A careful reading of the message would indicate that Yes will be a more secure choice.
    Yes, that's what stedi pointed out at #3.


    Quote Originally Posted by DanMcC View Post
    Has Microsoft documented this cryptic action anywhere?
    I can't find the IE8 and earlier version, “Do you want to view only the webpage content that was delivered securely?”, except in hundreds of questions to Microsoft.

    But the IE9 and IE10 equivalent, “Only secure content is displayed”, is documented: KB2625928

    It's ironic that the article page produces these prompts, and Susan says, "It would be best if websites never included unsecured information on a page containing SSL transactions."!

    Bruce

  11. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Naples, Florida, USA & Bury, UK
    Posts
    9
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Is there any way to view a list of installed updates by KB number? The article mentions KB 931125, but I have no idea how to check if it is already installed. I am not prepared to wade through the full list of installed updates looking for the KB number at the extreme right of the name. Why does Microsoft not list the number as a separate item from the name?

  12. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,838
    Thanks
    88
    Thanked 347 Times in 312 Posts
    Quote Originally Posted by kenormson View Post
    Is there any way to view a list of installed updates by KB number? The article mentions KB 931125, but I have no idea how to check if it is already installed. I am not prepared to wade through the full list of installed updates looking for the KB number at the extreme right of the name. Why does Microsoft not list the number as a separate item from the name?
    WinUpdatesList

    Bruce

  13. The Following User Says Thank You to BruceR For This Useful Post:

    kenormson (2013-11-17)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •