[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More tasty 808-errifficness



Ran across this bit in a help forum for an FTP product that uses MS-CAPI
(MS-CryptoAPI, i.e. certificate store features):

> Q: Your computer keeps wanting to connect to www.saupdate.microsoft.com 
> [207.46.131.229], port 80.
> 
> A: It's a "feature" in Windows XP triggered when an SChannel (Microsoft SSL 
> Library) client receives a digital certificate signed by a untrusted CA. 
> This feature allows Microsoft (not you) to control which certificate 
> authorities you trust by dynamically updating the list of trusted CA in 
> your Windows XP. This can be disabled by removing "Update Root Certificates" 
> from Add/Remove Windows Components in Control Panel (Q283717). 

Read that again - "allows Microsoft (not you) to control which certificate
authorities you trust"...

Microsoft is our only hope to kill of Verisign/Network Solutions... :=)

It also means they can *pro-actively* disable self-signed CAs.

Perhaps a firewall entry would be appropriate, since MS is apparently 
tunnelling this remote administration capability of *your* machine via
an seemingly authorized HTTP request.

Mike808/


---------------------------------------------
http://www.valuenet.net



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.