Discussion in 'Article Discussion' started by bit-tech, 29 Nov 2018.
"We don't need to have a cert authority sign our cert, we can just self-sign and install it as a root cert. We're installing it ourselves, after all, so we know it's us! What could possibly go wrong?"
I'm glad to see the awesome 2010 headphones as the go-to Sennheiser placeholder image! Mine are still going strong today.
Was thinking the same Omnislip, I even have a sealed spare set somewhere in a shelf
How does Microsoft remove the certificate with an update? I mean how do they know to remove that specific certificate? Has Sennheiser asked them to do it? What if I create a certificate of my own and put it in trusted root certificates, are they going to remove it too?
Every certificate has a fingerprint, most commonly software identifies certificates via SHA256 hash.
For example bit-tech.net has the following chain :
SSL certificate :
Fingerprint SHA256: 51f9e18d37b8b7eba0bd0dec6cb2c7b210d1fc1277273bece04213ce24698b47
Pin SHA256: yqshVW4YoJ3k7a0Aqs1sCe0kwQJuueqK1RKT9Q2Pa1c=
COMODO RSA Domain Validation Secure Server CA
Fingerprint SHA256: 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
Pin SHA256: klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=
COMODO RSA Certification Authority
Fingerprint SHA256: 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
So if MS decided that they want to remove that COMODO root CA, they could just iterate over the root CA list on the computer, identify the CA with specific SHA256 hash and if it matches the hash of the offending certificate, remove it.
(Source of the hashes: https://www.ssllabs.com/ssltest/analyze.html?d=bit-tech.net )
Edit: And before you say "what about a possible conflict" - the number of unique hashes SHA256 can have is 2^256. That is :
115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936. That is a number so big, a whole IPv6 range can be put in it in same amount of times as big as the IPv6 range itself is.
Can I just point out how insane it is that we have security issues in our goddamn HEADPHONES now? What did this even need a security certificate for in the first place?
It is all the extra software that comes with stuff these days.
Pointless audio software that duplicates functionality Realtek and MS have covered already, 300 different RGB control apps, infinity +1 update managers etc... all developed with minimal effort so security issues are inevitable.
When will companies learn to stop doing this
That ain't got fo the shizzle, y'all.
Wonder if any other companies are doing this?
Well, Lenovo was, obvs. ($7.2 million fine for that one.) Sony went one further and installed an insecure rootkit on any system its audio CDs were inserted into, which was particularly amazing.
Then there was eDellRoot, an even worse issue (unlike Superfish, eDellRoot was deployed to the workstation lines, not just the consumer ones).
Separate names with a comma.