A lot of my windows drivers have expired dates for the certificate, and some are not even signed, is this normal? [migrated]

I just gathered all the drivers in my system32/drivers folder and checked their certificate (my windows is updated and its a windows 10 x64)

But i found that so many of them have expired certificate! and some are not even signed! (pictures included)

so my questions are :

  1. Is this normal? if not, what should i do? and if not, then why are the expiration date expired?

  2. How are these drivers are able to get loaded when they have no certificate or its expired? my system is W10 x64 with secure boot enabled, i thought you can only load signed drivers with valid certificates?

  3. What is the role of these countersignatures put in simply? i tried reading MSDN and other websites but couldn’t understand whats the need of this?

here are some examples

WindowsTrustedRTProxy.sys (countersignature is also expired) :

enter image description here

winusb.sys (no certificate) :

enter image description here

Why is my RADIUS Certificate not automatically signed with the root CA Certificate on my iPhone

I have spent the last few days setting up a freeradius server with eap-tls as the only authentication method. I have used this old tutorial for setting up my own CA and generating the certificates and adjusted the older parameters to match the current ones.

So far I managed to authenticate my iPhone 6 running iOS 11.1.2 as a test device, for that I have:

  • Installed the root CA’s(the one I created) certificate on my iPhone
  • Installed a test identity profile on my iPhone with the name "Test" and test passphrase, which I converted to a .p12 file

Now when I connect to the network with the freeradius server running in debug mode, I can select EAP-TLS as the auth type and tell it to use the identity certificate. It then prompts me to trust the server’s certificate and I get a successful connection.

I have 2 questions:

  1. Why do I need to trust the server’s certificate if I have the root CA’s certificate installed? As far as I understood the way the authentication works is as follows:
  • The server and client each send their respective certificate for the other party to authenticate with the root CA’s certificate. After both are completed there is an optional challenge for the client to complete? (I’m not sure about this) and the client is authenticated

  • The server doesn’t need to be told to explicitly trust the client certificate but the client needs to explicitly trust the server’s even though they are both issued and signed by the same root CA and both parties have the certificate needed to be able to verify it

  • AFAIK the whole point of certificate-based authentication is to prevent MiTM attacks that other methods are vulnerable against. If the user initially connects to a spoofed access-point and accepts that certificate it will refuse the correct RADIUS server and leak the client certificate to the wrong server, this would be avoided if the client can verify the server certificate on its own without user intervention

  1. There is a username option when selecting the network on the iPhone, which does get matched against a backend SQL database by the freeradius server regardless of that username existing the server accepts the authentication. This page notes that the username is used in inner and outer authentication but to me, that doesn’t seem to make sense as there is no inner and outer identity in EAP-TLS. I assume there is a way to tell the radius server to only accept requests that match a username in the database but if it is not configured that way by default what is the point? Doesn’t the certificate already uniquely identify the device/user and what is the point of the username field if anything can be entered?

I would appreciate an explanation to these concepts, I’m relatively new to certificate-based authentication and RADIUS in general so I’m still learning the basics.

The goal of this endeavor is to deploy the server in an eduroam-like environment where users can generate certificates for their devices on some website, download the two needed certificates and get access without having to trust another.

I should also note that I have complete access and control over the server and my CA so I can modify anything as needed, so no quirky workarounds here.

Using apache mina for ssh using signed ssh-rsa-cert-01 from Certification Authority

There is an existing client configured and running (SshClient) using apache mina to ssh to one of our internal jump boxes. It currently uses PEM based authentication. Due to compliance we have to switch to using internally signed certificates (internally we are using hashicorp vault as a CA). I’m unable to find any documentation regarding how to use signed certificates for ssh in apache mina to start with. Is it not supported? Will I perhaps have to use any other java ssh library?

Do id tokens need to be signed assymetrically?

Access tokens that are passed to the public in an OAuth flow clearly need to be signed using asymmetric encryption (e.g. RSA) so that they cannot be altered by the client to gain access to new scopes, etc.

Id tokens on the other hand are not used to access any resources on the server. So if the client is able to alter the id token they will not be able to gain access to any extra resources. Does that mean that it would be okay to use a symmetric (HMAC) signature with a secret that is shared between the server and a specific client application (like the oauth client_secret for a given oauth client)?

Signed client certificate not accepted by websocket server [migrated]

Want to set up authentication in a python websocket server which builds up its ssl context like:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.load_cert_chain('certificates/server_cert.pem', 'certificates/server_key.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations('certificates/bob_cert.pem') 

Following the example in here (only for the creation of certificates) I created three keypairs and certificates, one for the websocket server and two client certs. As stated in the example I signed alice’s cert with the server cert and bob’s cert is self-signed.

If I now connect via bob’s cert and set verify_locations in the server as above, bob magically gets into the server (which doesn’t do more then echo back what you sent). But if I connect via alice’s cert (signed by server cert) I do not get accepted – getting a ConnectionResetError, the parameter verify_locations in the above code is then of course set to accept alice_cert.pem. For completion, below you find the code for ssl context creation of the client side (here for bob):

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.check_hostname = True ctx.load_verify_locations('certificates/server_cert.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_cert_chain('certificates/bob_cert.pem', 'certificates/bob_key.pem') 

What am I doing wrong or where did I misunderstand the tutorial I followed (link above), how can the unrelated (to the server cert) self-signed certificate used by bob (ISSUER CN=bob, SUBJ CN=bob) get access whereas alice cert which is signed by the server cert (ISSUER CN=localhost, SUBJ CN=alice) does get rejected?

What mechanisms prevent me from “ptraceing” a signed OSX application?

I want to debug an application I have installed on my Mac.

The application comes in a “.app” format, which is basically a folder including the binary and some other frameworks and resources.

I was trying to attach to the process using ptrace(), but it seems that I get blocked by doing so (even while running as root).

I am able to debug other apps (which I compiled myself).

I was wondering what mechanism is stopping me from doing so, and, is there is any way to bypass it.


Somebody signed up for Facebook using my email. Disabling does not work [closed]

I do not have a Facebook account and I do not wish to sign up for one.

At the end of January, I started getting Arabic Facebook mails. Apparently somebody had signed up to Facebook using my Gmail address (with an additional ‘.’; think fo.o@bar.com rather than foo@bar.com, which still ends up being directed to me.)

At first I just ignored it because I assumed it was a phishing attempt, but it soon became clear that the mails were actually from Facebook.

I soon found the links at the bottom of the mails that would allow me to ‘disavow contact‘, prompting me to an English Facebook page asking me if I wanted to disable the account.

Didn’t sign up for Facebook with this account?

Someone recently tried to sign up for Facebook using [fo.o@bar.com]. If that wasn’t you, you can disable the account.

But whenever I try to do this, it says

Sorry, something went wrong.

We’re working on getting this fixed as soon as we can.

It has been a couple of weeks and it still does not work.

What can I do? I do not merely want to block mails from Facebook, I want this account not to be tied to my email address.

Keeping self signed CA certification a secret [duplicate]

I have a server that has a public and private key pair that are known by my own self hosted CA.

A client wants to send the server some sensitive data. When the client receives the server’s public key, to initiate a tls connection, the client obviously has to contact my CA to verify the server is not an imposter.

The client has to also make sure my CA is not an imposter. Is the only option for facilitating this is to obtain a non self signed, legitimate certificate from another CA, embedded into the software tools the client is already using to communicate all this? Or a second option, send the client our CA certificate before hand, like in an email to use in all future communications with our CA? How is this normally handled in software exposing public APIs over secure connections and who want to manage their own PKI?

Why don’t services like Have I Been Pwned send email if you haven’t signed up?

When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn’t the service send out an email notifying me of my leaked password WITHOUT signing up for getting notified?

In my experience, a lot of senior people find out that their password management is poor (same password everywhere) after they’ve been hacked and potentially lost money. Now they could’ve received an email notifying them of all their hacked passwords and the shock could force them to use a password manager.

I think the main reason this doesn’t exist is that there are way too many emails to send. If you sum up a list of leaked services for every user, you’d have to send millions or billions of emails (even if spread out over multiple years) and this would probably get you blocked on every mail service.

What are the other reasons that this service doesn’t exist?