[Ectech]

recently i've been sorting through some common settings in an attempt to secure my computer as much as possible. in my search i came across several expired digital certificates that date back to 1997 that were issued by Microsoft, Verisign, etc. there's even one that states FRAUDULENT. so, i decided to look further and discovered that the certs have been in every version from XP up to windows 7. can anybody explain why they are included in windows if they are no longer valid. from what i know, invalid cert's are a security flaw, or are they used for some older app's?

[Advertisements]

Certificates are included to help you decide if you want the software that they're offering.

So if in 1997 you installed some software (and accepted the certificate) that's where it stays.
If you don't update it, it stays dated at 1997.

If you try to access that same software now, you should get an error that the certificate is expired. And Windows should attempt to help you get an updated certificate.

I'm not familiar with invalid certificates, but would expect that if they were accepted then they'd be installed on your system just as valid one's are.

[usasma]

Certificates are included to help you decide if you want the software that they're offering.

So if in 1997 you installed some software (and accepted the certificate) that's where it stays.
If you don't update it, it stays dated at 1997.

If you try to access that same software now, you should get an error that the certificate is expired. And Windows should attempt to help you get an updated certificate.

I'm not familiar with invalid certificates, but would expect that if they were accepted then they'd be installed on your system just as valid one's are.

[Ectech]

these certificates that im refering to are installed by default in all windows including windows 7. so i guess my question is more along the lines of.. why does Microsoft have non-valid certificates in an OS that was developed 12 years later? surely, they must be aware that they exist. and why are they not updated in current editions of windows? it seems to be a huge security hole that could be used for many reasons. especially ones that state fraudulent.

Edited by Ectech, 17 May 2009 - 12:11 PM.

[usasma]

Could you let us know the location of these certificates. I'm not familiar with them and it'll take a bit of research to see what they are.

[Ectech]

click start > run > type mmc > click ok

select file > add/remove snap in > in the left plane double click certificates > select computer account > click next > click finish > click ok > expand the trusted root certificate authorities > then double click and check every cert.

in windows 7 there only 1 cert listed as fraudulent but in XP & Vista there are 2.

i'd post a screenshot but i already removed them.

Edited by Ectech, 17 May 2009 - 01:13 PM.

[Ectech]

now that i take a closer look they are under the untrusted section, but still i know they exist in Vista and Win 7.

[usasma]

It's an interesting subject - and the answer wasn't available on the limited searches that I did.
FYI - type "certmgr.msc" in the Start box (without the quotes) and it'll open this dialog also.

But, here's a link that explains some of the purpose behind it: http://www.proper.co...t-cert-problem/
Interestingly, it seems as if they're deletable, but will silently reinstall themselves if a website is visited that uses that certificate.

Verisign cert's: http://support.microsoft.com/kb/834438
Root certificate program members: http://msdn.microsof...y/ms995347.aspx

This post says they're required for backwards compatibility: http://forum.soft32....opict37105.html
and provides this link: http://support.micro...kb;en-us;293781

How to remove a certificate from the Trusted Root Store (Win2K, IE5 and older): http://support.micro...om/?kbid=293819
Turn off the update function (WinXP): http://support.microsoft.com/kb/283717

[Ectech]

interesting finds, thanks for the info. now its time to dig a bit deeper.