Page 1 of 1

Win32: Seems legit

PostPosted: Mon Aug 11, 2014 10:01 am
by user
So, according to the list, this is recommended:

In the GUI, right click on Trusted Root Certificate Authorities, then All Tasks, and then Import. Navigate to ciphershedtest.cer, and open it.

"Set your OS into a certain mode you've never heard of. Blindly trust this certificate."

Uhm. No.

Re: Win32: Seems legit

PostPosted: Fri Aug 15, 2014 7:35 am
by rocki
Driver signature enforcement... :roll:

Re: Win32: Seems legit

PostPosted: Mon Aug 25, 2014 8:30 am
by WaywardGeek
I'm not happy about it, but we've had difficulty getting a Microsoft code-signing certificate. The main holdup is that we don't want to officially exist in any specific legal jurisdiction as a corproation. I suppose I could get a "Bill Cox" signing certificate for testing purposes, but it seems like a waste... In the meantime, what could possibly go wrong by installing a bogus root-level certificate :-P

Re: Win32: Seems legit

PostPosted: Mon Aug 25, 2014 8:56 am
by user
How many items do you want on that list?

Re: Win32: Seems legit

PostPosted: Wed Aug 27, 2014 8:51 pm
by NickP
The certificate on this page...

...uses 1,024bit RSA + MD5. A variety of MD5 certificate forgeries have been demonstrated. See sections 4-5 in link below:

Regarding 1,024 bit RSA, one paper in 2010 extrapolated what extra resources an existing factoring method would need to break it. Their claim: "For a 1024-bit RSA modulus between half a million and a million [processor] core years should suffice. For each tightly coupled cluster participating in the matrix step a combined memory of 10 terabytes should be adequate." That's not easy enough for people to be throwing attacks at everyone using it. However, it shows it might be within reach of any private or public institution with a supercomputer.

So, I highly recommend swapping out MD5 for at least SHA-1, preferably SHA-2. This is across the board for anything PKI. Also, you might consider configuring browsers, etc to not trust MD5 certificates. Less important, but still wise, is increasing the RSA key to 2,048 bit. I'm less worried your RSA key will be broken than I am pushing for instilling a good habit that might also defeat any future, incremental advances in factoring.