Certificate cleanup for most personal computers

Topic

New Reply

	TOP STORY[/size][/font] Certificate cleanup for most personal computers[/size]
	By Susan Bradley A little Dutch company potentially lets a flood of problems into our Windows machines. The company manages digital certificates; after its recent break-in by hackers, security certificates for Mozilla, Yahoo, WordPress, and other sites are now suspect.[/size]

---

The full text of this column is posted at WindowsSecrets.com/top-story/certificate-cleanup-for-most-personal-computers/[/url] (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

An excellent post Susan and one that XP users should take notice of.

I’ve been tracking the publicity surrounding DigiNotar’s breach for a few days and I find it utterly shocking that the original breach occurred months ago but they did nothing about the problem and subsequently issued over 500 fraudulent certificates.

What does that mean? Well for machines with the bogus DigiNotoar certificates installed, one could browse to a spoofed site and have no indication that it was compromised. Worse, man-in-the middle attacks have allegedly already been mounted on thousands of Gmail accounts as a result. The cat is well and truly out of the bag and many other fraudulent certificates for Yahoo, Microsoft, Aol, Worpress, Logmein, Facebook and many others and others have also been issued. See this disclosure post and its attachment listing the bogus certificates.

I strongly urge anyone running XP to follow Susan’s post and manually revoke DigiNotar’s certificates. Vista and Win7 machines should automatically revoke the certificates, but even then people should update their browsers to be sure of locking out any of the fraudulent certificates. A big hole in the protection and cleanup process is Apple, who are silent on what is being done to protect their users. That discussion point is however perhaps left for a different forum.

Reply | Quote

This cetificate problem I believe caused major havoc with me. Over the weekend cyber criminals wiped out my checking account and I am still $250 in the hole. Sure the bank will make good but it is a hassle. I installed the MS patch to remove the certificate and it was still there (even after reboot). Following what Susan mentioned I manually removed it and ignoriing what MS tried to warn me about.

Reply | Quote

Frustrating – I cannot see how to install the KB patch without installing Windows Genuine Advantage tool. I am nervous about this as potential spyware from Microsoft. Is there some other way of getting the KB update?

Reply | Quote

28872-certs

I installed KB2607712 yesterday, took a look at my Trusted Root Certificates this morning and there are still 2 DigiNotar certs there. I thought the patch was supposed to remove them?

Reply | Quote

After installing kb 2607712 & restarting (3) xp machines, the diginotar certs were still there. In (2) win 7 machines, these certs had been moved to ‘untrusted’ certs (there were 6 diginotar certs in all). It’s not clear what kb 2607712 is supposed to do, since it didn’t remove any of these certs in my xp and win7 machines. Anyone else have this problem?

Reply | Quote

Susan,
I installed KB 2607712 on Wednesday, 9/7, and did the reboot but when I followed your instructions this morning the DigiNotar certificate was still on my computer (Windows XP). I guess the patch didn’t work 100%. Your instructions did clean it up, however.

Reply | Quote

FYI.

On XP (SP3) machine, Digitar Root CA certificate was still present after install of KB. Total of five Digitar certs were listed in “untrusted publisher” list. Not prompted for restart, so I did one anyway and still showed in trusted list.

Removed straggler from Trusted list, rebooted and it was still gone and all five remained in “untrusted publisher” list.

Reply | Quote

Installed the Kb. Went to IE and still found 2 certificates from Digitar but the only options that were availabe were to import or export. The remove button was not highlighted and could not be accessed. I have a win7 os and IE9.

Any suggestions??? Thank you

Reply | Quote

Right click on your IE icon on the desktop, select properties… then select the Content tab… half way down select the Certificates button….in the certificates listing area, tab the menu to the right to “Trusted Root Certification Authorities” and select it. Then scroll down the list of certificates and if the suspected Diginotar entries are listed, select them and press the remove button. This was a little quicker for me and I believe accomplished the same thing since I’m doing more then 1 computer. With Win7, will have to open IE , then select the tools icon (alt+x) and goto internet options, then basically do the same thing as above to check if removed or not.

Reply | Quote

Same here. Installed the KB and it added 5 DigiNotor certificates to the Untrusted Publishers tab but did not remove the two DigiNotor certs from the Trusted Root Certification Authorities tab. If they are in the Untrusted tab does that negate the ones in the Trusted tab or do I need to remove them from there as well? Plan on removing them just to be safe, but I was just wondering.

Reply | Quote

In my WXP SP3 PC, I had 1 DigiNotar cert in Firefox, and per suggestions in various articles, I updated FF (from 3.6.20 to 3.6.22), and now there are 6 DigiNotar certs in FF!! Also, as others mentioned, here is my experience with IE: The Windows Secrets article includes WXP in the list of OSs that would be cleaned up with KB update 2607712, but it gives the manual methods also for WXP, so I’m assuming there is an error in Susan Bradley’s article since the Windows update did NOT remove the DigiNotar root cert: DigiNotar Root CA, Expiration 5/14/2027. I did find 5 DigiNotar Certs in the Untrusted Publishers store (although I didn’t look there before the MS KB update 2607712). I will remove the DigiNotar cert in IE manually; however, I’d appreciate knowing what others experienced with the Firefox update.

Reply | Quote

Thank you for the information. I just read the post on Cnet about the compromise of “GlobalSign”. Looks like something everyone needs to keep check on by keeping up to speed with the most recent available security news. Thank you again for the information.

Reply | Quote

Reading the comments about kb2607712 not removing the offending entries I tried to manually delete any on the wife’s PC, but frustrated as Vista doesn’t have a ‘run’ command and search was unable to locate mmc.exe.

None found on my XP machine

Reply | Quote

Reading the comments about kb2607712 not removing the offending entries I tried to manually delete any on the wife’s PC, but frustrated as Vista doesn’t have a ‘run’ command and search was unable to locate mmc.exe.

None found on my XP machine

Have you tried typing mmc in the start menu search box? Do you have indexing turned on?

The Run command is not visible by default in Vista, but you can restore it to view by doing the following: Right click the Start Orb and select Properties. This should bring up the Start Menu tabbed page on the Taskbar and Start Menu Properties sheet. Click the Customize button. Scroll down on the resulting page of options to locate the Run Command check box and place a check in the box. Click OK and you will then see the Run command on the right panel of the Start Menu. Type in mmc or mmc.exe in the Run command box and press Enter. It works on my Vista laptop.

I can also type mmc in the start menu search box to start mmc.exe as well.

Hope this helps.

Reply | Quote

My Network has a few XP systems on it, but I am not a company that does business on the Internet, or buys certificates. Do I have anything to be concerned about if I make purchases online?

Sloke

Reply | Quote

You don’t need to purchase an ssl certificate for your company for this to impact.

Take a look at the list of certificates linked at the bottom of this article. They include certificates for Google, Microsoft, AOL, Paypal, Yahoo, Equifax, Twitter, Skype, Logmein, WordPress, Mozilla, Live and many others.

These were signed as valid by DigiNotar, but are fraudulent.

If any of your users use any of those services from within your network, they could be putting your systems at risk.

Distrusting the DigiNotar Root CA’s removes that risk.

Reply | Quote

I found no certificates listed at all. I have wxp home. How should i fix this?

Reply | Quote

I had the same experience with Firefox. I updated a few minutes ago. Checked the version and checked the Firefox blog. DigiNotar was supposed to be completely removed and untrusted. But, there were 6 certs all in the trusted tab. I had to manually remove them. All had been untrusted in IE9 as well as Win7. I’m disappointed with Firefox. Had it not been for Susan’s timely article, I would not have known to look…and look again after the update.

Reply | Quote

Susan Bradley’s article about removing root certificates, presented another twist fo ther view of my computer’s certificates. About one third of the certificates were outdated, yet they remain in the system.

How can I determine what should remain- if any of the outdated certificates? Some were expired as early as 1999.

Reply | Quote

Susan Bradley’s article about removing root certificates, presented another twist fo ther view of my computer’s certificates. About one third of the certificates were outdated, yet they remain in the system.

How can I determine what should remain- if any of the outdated certificates? Some were expired as early as 1999.

Since the certificates have expired, they should not pose any problem. But you should be able to delete them if you desire.

Be careful not to delete any active ones other than the DigiNotar certificate.

Reply | Quote

I found the bad ones and deleted them. When I went to close it, I was asked if I wanted to safe the file and somehow I clicked “NO”. Poof I deleted the entire Console Root! Anyone know how I can reverse this? I tried System Restore to yesterdays date and that didn’t work???

Thanks,
Bill

	TOP STORY Certificate cleanup for most personal computers
	By Susan Bradley A little Dutch company potentially lets a flood of problems into our Windows machines. The company manages digital certificates; after its recent break-in by hackers, security certificates for Mozilla, Yahoo, WordPress, and other sites are now suspect.

---

The full text of this column is posted at WindowsSecrets.com/top-story/certificate-cleanup-for-most-personal-computers/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

I found the bad ones and deleted them. When I went to close it, I was asked if I wanted to safe the file and somehow I clicked “NO”. Poof I deleted the entire Console Root! Anyone know how I can reverse this? I tried System Restore to yesterdays date and that didn’t work???

Thanks,
Bill

Don’t worry about it. You can run mmc.exe again and add the snap-in again.

The save option allows you to save the current console for easy access in the future and is normally only used by systems administrators or advanced users who may need day to day access to the tools within the console.

EDIT: If you have used system restore you may have brought these certificates back into life. I’d recommend that you follow the delete instructions again just to be sure.

Reply | Quote

Hi Browni,
Thank you so much for your reply. I did as you suggested and everything went back to normal. I then deleted the 2 digiNotar files and saved it. I really panicked as I thought I had really screwed up my puter. I fix 90% of problems myself but when I get stumped or really do damage (LOL) I run it to my local guy. I rarely mess with Administrative tools. I have also subscribed to this newsletter for many many years, way back to when it was just Freds and have followed hundreds of tips since then.

Just one more question????? There are still 2 more files labled ‘DigiCert’. one is assured ID root CA, one Global Root CA and one High Assurance EV Root CA. Are these associated with DigiNotar? If so should I delete them as well. See attached screen shot.28892-ScreenShot001

Thanks again,
Bill

Reply | Quote

Just one more question????? There are still 2 more files labled ‘DigiCert’. one is assured ID root CA, one Global Root CA and one High Assurance EV Root CA. Are these associated with DigiNotar? If so should I delete them as well.l

Hi Bill,

That’s a different company so there is no need (at present!) to delete their certificates.

http://www.digicert.com/about-digicert.htm

Reply | Quote

I performed Susan’s MMC removal of the one DigiNotar certificate I found in my Trusted folder (XP SP3), then installed the MS KB patch. After reboot I found 5 DigiNotar certificates in my Untrusted folder, so I am thinking everything went well.
However, this exercise has revealed something a little shocking to me.
There are a number of certificates in my Trusted folder that are pretty strange looking.
Mostly these are from foreign sources with foreign names of issuing agency.
My first inclination was to start deleting them, but thought I’d better ask here if there’s a way to trace certificates for web site application or other key information that shows their use.
Man, I learn something new every day!

Reply | Quote

I cannot help noticing the following “known issue” in the KB2607712 article by Microsoft:

[*]At the explicit request of the Dutch government, the release of the automatic update functionality will be delayed for the Netherlands.

……

[*] This update will become available to the Netherlands on Windows Update and on all Automatic Update channels at a later date.

So unless the Dutch users become aware of this issue and manually install KB2607712 they will not be protected! I wonder what reasons the Dutch government had to leave their citizens vulnerable.

mo.eu

Reply | Quote

I cannot help noticing the following “known issue” in the KB2607712 article by Microsoft:

[*]At the explicit request of the Dutch government, the release of the automatic update functionality will be delayed for the Netherlands.

……

[*] This update will become available to the Netherlands on Windows Update and on all Automatic Update channels at a later date.

So unless the Dutch users become aware of this issue and manually install KB2607712 they will not be protected! I wonder what reasons the Dutch government had to leave their citizens vulnerable.

mo.eu

The reason is that many of the government sites use the DigiNotar as their CA. They are scrambling to replace the certs, and asked Microsoft for more time .

Reply | Quote

The reason is that many of the government sites use the DigiNotar as their CA. They are scrambling to replace the certs, and asked Microsoft for more time .

That is what I thought, but I don’t like their morals: It does not matter that our users are vulnerable to dodgy certs on other sites as long as they can interact with our pages.

Reply | Quote

The Dutch government is suffering a moral dilemma due to the 3 months of inaction by DigiNotar after the initial breach in security.

None of this would have happened if DigiNotar had put their hands up in late May to admit the break-in.

Reply | Quote

It this for companies doing business on the Internet, or for any of us who still have an XP computer in their Network, and occasionally making purchases online?
In other words, I am not a company that buys certificates; need I be concerned? And need I manually remove the certificates from our XP systems?

Thank you.

Reply | Quote

The ones I found have already been moved to untrusted sources.

Reply | Quote