Thursday, February 18, 2010

Vista security exploit: X.509 certificates

When we install an X.509 certificate in a windows store, it is valid only if we can build from it some valid certificates chain. For example, if its issuer's certificate is in the trusted root store.

However it seems there is a meaningful change between XP and Vista. In XP, when we install a certificate in the "trusted people" store it is not valid unless such chain exist:



In Vista, once we put the certificate in the TrustedPeople store it is automatically valid even if no chain exist:



This change makes sense: If we trust someone then we do not need to trust its issuer also. However there is a backward compatibility risk: non valid certificates on XP become implicitly valid on Vista which is a potential security hole.

What's next? get this blog rss updates or register for mail updates!
Posted by Yaron Naveh (MVP) at 8:32 PM
Labels:

1 comments:

Anonymous said...

I'm new around here, seems like a cool place though. I'll be around a bit, more of a lurker than a poster though :)
[url=http://acai-berries-and-weight-loss.wetpaint.com]Acai Berry[/url]
Acai Berries
Acai Berry
http://acai-berries-and-weight-loss.wetpaint.com
Acai Berry

February 19, 2010 3:46 PM

Post a Comment

Subscribe to: Post Comments (Atom)