In case you missed it, on May 30th, a root certificate expired.
This made a lot of applications very unreliable, and been widely regarded as a bad move.
Well, alright, what was regarded as a bad move is that applications should become unreliable in the specific circumstances involved here.
When you connect to a server(web site or application) over SSL/TLS, the server has to send your client (browser or application) its Certificate.
In modern code, this Certificate is used by the client to trace back to a signing authority that is trusted by the client or its operating system.
Some servers like to help this process out, by sending a chain along with the Certificate for a couple of reasons:
This second situation is what weâ€™re interested in here. A new root appears, new certificates are issued, and old clients refuse to honour them because they donâ€™t have the new root in their trust store.
This is fixed with â€ścross-signingâ€ť, which allows an older, trusted root, to sign the new untrusted root, so that the older client sees a chain that includes the older root at the top, and is therefore trusted.
Older root certificates expire. It takes 20 years, but it finally happened at the end of May, to this one root certificate, â€śAddTrust External CA Rootâ€ť
When that happens, a client who builds the certificate chain and uses this to trust the root certificate is happy, because it sees only certificates that it trusts.
A client who takes the certificate chain as supplied by the server, without building its own, will see that the chain ends in an expired certificate, and refuse to connect, because the entire chain cannot be trusted.
The two links I provided earlier are well worth a read if youâ€™re interested in solving this problem, and really, Iâ€™ve got nothing to add to how this issue occurred, why itâ€™s a problem, how to address it at your server, or any of those fun things.
What I do offer is a tool for .NET (Windows and Linux, Mac, etc) that lets you compare the certificate chain as presented by the server against the certificate chain built by a client. It will report if a certificate in either chain has expired. Itâ€™s written in C#, and built with Visual Studio, and takes one parameter â€“ the site to which it will connect on port 443 to query for the certificate and chain.
Itâ€™s not a very smart tool, and it makes a few assumptions (though itâ€™s relatively easy to fix if those assumptions turn out to be false).
But it has source code, and it runs on Windows, Linux and (presumably â€“ havenâ€™t tested) Mac.
Working against the sites listed at http://testsites.test.certificatetest.com/, we get the following results:
First: https://aaacertificateservices.test.certificatetest.com/ – Certificate issued from a CA signed by AAA Certificate Services root.
Interestingly, note that the certificate chain in the stream from the server doesnâ€™t include the root certificate at all, but itâ€™s present in the code where we ask the client code what certificates are in the chain for this server.
Second: https://addtrustexternalcaroot.test.certificatetest.com/ – Certificate issued from a CA signed by AddTrust External CA Root.
The certificates here expired on 5/30/2020, and itâ€™s no surprise that we see this result in both the chain provided by the server and the chain provided by the client. Again, the root certificate isnâ€™t actually in the chain from the server provided in the stream.
Third: https://addtrustaia.test.certificatetest.com/ – Certificate issued from a CA signed by USERTrust RSA Certification Authority with a cross cert via AIA from AddTrust External CA Root.
Nothing noteworthy here, but itâ€™s included here for completeness. I donâ€™t do anything in this code for an AIA cross cert.
Fourth, and most importantly: https://addtrustchain.test.certificatetest.com/ – Certificate issued from a CA signed by USERTrust RSA Certification Authority with a cross cert via server chain from AddTrust External CA Root.
Hereâ€™s the point of the tool â€“ itâ€™s able to tell you that thereâ€™s a certificate in the chain from the server that has expired, and may potentially be causing problems to visitors using an older browser or client library.
By now, youâ€™ve had enough of reading and you want to see the code â€“ or just run it. Iâ€™ve attached two files â€“ one for the source code, the other for the executable content. I leave it up to others to tell you how to install dotnet core on your platform.
Let me know if, and how, you use this tool, and whether it achieves whatever goal you want from it.
In which I move my version control from ComponentSoftwareâ€™s CS-RCS Pro to Git while preserving commit history.
[If you donâ€™t want the back story, click here for the instructions!]
OK, so having watched the video I linked to earlier, I thought Iâ€™d move some of my old projects to Git.
I picked one at random, and went looking for tools.
Iâ€™m hampered a little by the fact that all my old projects used ComponentSoftwareâ€™s â€śCS-RCS Proâ€ť.
A couple of really good reasons:
But you know who doesnâ€™t use CS-RCS Pro any more?
Thatâ€™s right, ComponentSoftware.
Itâ€™s a dead platform, unsupported, unpatched, and belongs off my systems.
One simple reason â€“ if I move off the platform, I face the usual choice when migrating from one version control system to another:
The second option seems a bit of a waste to me.
OK, so yes, technically I could mix the two modes, by using CS-RCS Pro to browse the ancient history when I need to, and Git to browse recent history, after starting Git from a clean working folder. But I could see a couple of problems:
So, really, I wanted to make sure that I could move my files, history and all.
I really didnâ€™t have a good way to do it.
Clearly, any version control system can be moved to any other version control system by the simple expedient of:
But, as you can imagine, thatâ€™s really long-winded and manual. That should be automatable.
In fact, given the shared APIs of VSS-compatible source control services, Iâ€™m truly surprised that nobody has yet written a tool to do basically this task. Iâ€™d get on it myself, but I have other things to do. Maybe someone will write a â€śVSS2Gitâ€ť or â€śVSS2VSSâ€ť toolkit to do just this.
There is a format for creating a single-file copy of a Git repository, which Git can process using the command â€śgit fast-importâ€ť. So all I have to find is a tool that goes from a CS-RCS repository to the fast-import file format.
So, clearly thereâ€™s no tool to go from CS-RCS Pro to Git. Thereâ€™s a tool to go from CS-RCS Pro to CVS, or there was, but that was on the now-defunct CS-RCS web site.
Butâ€¦ Remember I said that itâ€™s compatible with GNU RCS.
And thereâ€™s scripts to go from GNU RCS to Git.
OK, so the script for this is written in Ruby, and as I read it, there seemed to be a few things that made it look like it might be for Linux only.
I really wasnâ€™t interested in making a Linux VM (easy though that may be) just so I could convert my data.
Everything changed with the arrival of the recent Windows 10 Anniversary Update, because along with it came a new component.
Bash on Ubuntu on Windows.
Itâ€™s like a Linux VM, without needing a VM, without having to install Linux, and it works really well.
With this, I could get all the tools I needed â€“ GNU RCS, in case I needed it; Ruby; Git command line â€“ and then I could try this out for myself.
Of course, I wouldnâ€™t be publishing this if it wasnâ€™t somewhat successful. But there are some caveats, OK?
Iâ€™ve tried this a few times, on ONE of my own projects. This isnâ€™t robustly tested, so if something goes all wrong, please by all means share, and people who are interested (maybe me) will probably offer suggestions, some of them useful. Iâ€™m not remotely warrantying this or suggesting itâ€™s perfect. It may wipe your development history out of your one and only copy of version controlâ€¦ so donâ€™t do it on your one and only copy. Make a backup first.
GNU RCS likes to store files in one of two places â€“ either in the same directory as the working files, but with a â€ś,vâ€ť pseudo-extension added to the filename, or in a sub-directory off each working folder, called â€śRCSâ€ť and with the same â€ś,vâ€ť extension on the files. If you did either of these things, thereâ€™s no surprises. Butâ€¦
CS-RCS Pro doesnâ€™t do this. It has a separate RCS Repository Root. I put mine in C:\RCS, but you may have yours somewhere else. Underneath that RCS Repository Root is a full tree of the drives youâ€™ve used CS-RCS to store (without the â€ś:â€ť), and a tree under that. I really hope you didnâ€™t embed anything too deep, because that might bode ill.
Initially, this seemed like a bad thing, but because you donâ€™t actually need the working files for this task, you can pretend that the RCS Repository is actually your working space.
Maybe this is obvious, but it took me a moment of thinking to decide I didnâ€™t have to move files into RCS sub-folders of my working directories.
Make this a â€śflag dayâ€ť. After you do this conversion, never use CS-RCS Pro again. It was good, and it did the job, and itâ€™s now buried in the garden next to Old Yeller. Do not sprinkle the zombification water on that hallowed ground to revive it.
This also means you MUST check in all your code before converting, because checking it in afterwards will be â€¦ difficult.
Assumption: You have Windows 10.
This might look like a lot of instructions, but I mostly just wanted to be clear. This is really quick work. If you screw up after the â€śgit initâ€ť command, simply â€śrm â€“rf .gitâ€ť to remove the new repository.
So, there was this tweet that got passed around the security community pretty quickly:
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX
â€” Filippo Valsorda (@FiloSottile) May 26, 2016
Kind of confusing and scary if youâ€™re not quite sure what this all means â€“ perhaps clear and scary if you do.
BlueCoat manufactures â€śman in the middleâ€ť devices â€“ sometimes used by enterprises to scan and inspect / block outbound traffic across their network, and apparently also used by governments to scan and inspect traffic across the network.
The first use is somewhat acceptable (enterprises can prevent their users from distributing viruses or engaging in illicit behaviour from work computers, which the enterprises quite rightly believe they own and should control), but the second use is generally not acceptable, depending on how much you trust your local government.
Filippo helpfully gives instructions on blocking this from OSX, and a few people in the Twitter conversation have asked how to do this on Windows.
Don’t do this on a machine you don’t own or manage – you may very well be interfering with legitimate interference in your network traffic. If you’re at work, your employer owns your computer, and may intercept, read and modify your network traffic, subject to local laws, because it’s their network and their computer. If your government has ruled that they have the same rights to interceptÂ Internet traffic throughout your country, you may want to consider whether your government shouldn’t be busy doing other things like picking up litter and contributing to world peace.
As with most things on Windows, thereâ€™s multiple ways to do this. Hereâ€™s one, which can be followed either by regular users or administrators. Itâ€™s several steps, but itâ€™s a logical progression, and will work for everyone.
Step 1. Download the certificate. Really, literally, follow the link to the certificate and click â€śOpenâ€ť. Itâ€™ll pop up as follows:
Step 2. Install the certificate. Really, literally, click the button that says â€śInstall Certificateâ€¦â€ť. Youâ€™ll see this prompt asking you where to save it:
Step 3. If youâ€™re a non-administrator, and just want to untrust this certificate for yourself, leave the Store Location set to â€śCurrent Userâ€ť. If you want to set this for the machine as a whole, and youâ€™re an administrator, select Local Machine, like this:
Step 4: Click Next, to be asked where youâ€™re putting the certificate:
Step 5: Select â€śPlace all certificates in the following storeâ€ť:
Step 6: Click the â€śBrowseâ€¦â€ť button to be given choices of where to place this certificate:
Step 7: Donâ€™t select â€śPersonalâ€ť, because that will explicitly trust the certificate. Scroll down and youâ€™ll see â€śUntrusted Certificatesâ€ť. Select that and hit OK:
Step 8: Youâ€™re shown the store you plan to install into:
Step 9: Click â€śNextâ€ť â€“ and youâ€™ll get a final confirmation option. Read the screen and make sure you really want to do whatâ€™s being offered â€“ itâ€™s reversible, but check that you didnâ€™t accidentally install the certificate somewhere wrong. The only place this certificate should go to become untrusted is in the Untrusted Certificates store:
Step 10: Once youâ€™re sure you have it right, click â€śFinishâ€ť. Youâ€™ll be congratulated with this prompt:
Step 11: Verification. Hit OK on the â€śimport was successfulâ€ť box. If you still have the Certificate open, close it. Now reopen it, from the link or from the certificate store, or if you downloaded the certificate, from there. Itâ€™ll look like this:
The certificate hasnâ€™t actually been revoked, and you can open up the Untrusted Certificates store to remove this certificate so itâ€™s trusted again if you find any difficulties.
There are other methods to do this â€“ if youâ€™re a regular admin user on Windows, Iâ€™ll tell you the quicker way is to open MMC.EXE, add the Certificates Snap-in, select to manage either the Local Computer or Current User, navigate to the Untrusted Certificates store and Import the certificate there. For wide scale deployment, there are group policy ways to do this, too.
OK, OK, because you asked, here’s a picture of how to do it by GPO:
I happened upon a blog post by the Office team yesterday which surprised me, because it talked about a feature in PowerPoint that Iâ€™ve wanted ever since I first got my Surface 2.
Hereâ€™s a link to documentation on how to use this feature in PowerPoint.
It seems like the obvious feature a tablet should have.
Here’s a video of me using it to draw a few random shapes:
But not just in PowerPoint â€“ this should be in Word, in OneNote, in Paint, and pretty much any app that accepts ink.
So hereâ€™s the blog post from Office noting that this feature will finally be available for OneNote in November.
On iPad, iPhone and Windows 10. Which I presume means itâ€™ll only be on the Windows Store / Metro / Modern / Immersive version of OneNote.
Thatâ€™s disappointing, because it should really be in every Office app. Hell, Iâ€™d update from Office 2013 tomorrow if this was a feature in Office 2016!
Please, Microsoft, donâ€™t stop at the Windows Store version of OneNote.
Shape recognition, along with handwriting recognition (which is apparently also hard), should be a natural part of my use of the Surface Pen. It should work the same across multiple apps.
Thatâ€™s only going to happen if itâ€™s present in multiple apps, and is a documented API which developers â€“ of desktop apps as well as Store apps â€“ can call into.
Well, desktop apps can definitely get that.
Iâ€™ll admit that I havenâ€™t had the time yet to build my own sample, but Iâ€™m hoping that this still works â€“ thereâ€™s an API called â€śInk Analysisâ€ť, which is exactly how you would achieve this in your app:
It allows you to analyse ink youâ€™ve captured, and decide if itâ€™s text or a drawing, and if itâ€™s a drawing, what kind of drawing it might be.
[Iâ€™ve marked this with the tag â€śAlunâ€™s Codeâ€ť because I want to write a sample eventually that demonstrates this function.]
Iâ€™ve updated from Windows 8.1 to Windows 10 Enterprise Insider Preview over this weekend, on my Surface Pro 3 and a Lenovo tablet. Both machines are used for software development as well as playing games, so seemed the ideal place to practice.
So hereâ€™s some initial impressions:
Iâ€™ve mentioned before (ranted, perhaps) about how the VPN support in Windows 8.1 is great for desktop apps, but broken for Metro / Modern / Immersive / Windows Store apps.
Still, maybe now Iâ€™m able to provide feedback, and Windows is in a beta test phase, perhaps theyâ€™ll pay attention and fix the bugs.
Itâ€™s a beta, but just in case you were persuaded to install this on a production system, itâ€™s still not release quality.
Every so often, the Edge browser (currently calling itself â€śProject Spartanâ€ť) will just die on you.
Iâ€™ve managed to get the â€śPeople Hubâ€ť to start exactly twice without crashing immediately.
Download the most recent version from the Insiderâ€™s page, and you still have to apply an update to the entire system before youâ€™re actually up to date. The update takes essentially as long as the initial install.
Hey, itâ€™s a beta â€“ what did you expect?
Things will break, youâ€™ll find yourself missing functionality, so you may need to restore to your original state. Update before you install, and fewer things will be as likely to go wrong in the upgrade.
They wonâ€™t fix things you donâ€™t provide feedback about.
OK, so maybe they also wonâ€™t fix things that you DO provide feedback on, but thatâ€™s how life works. Not everything gets fixed. Ever.
But if you donâ€™t report issues, you wonâ€™t ever see them fixed.
The People â€śHubâ€ť in Windows 10, from the couple of times Iâ€™ve managed to execute it, basically has my contacts, and can display whatâ€™s new from them in Outlook Mail.
I rather enjoy the Windows 8.1 People Hub, where you can see in one place the most recent interactions in Twitter, Facebook, LinkedIn and Skype. Or at least, thatâ€™s what it promises, even if it only actually delivers Facebook and Twitter.
Itâ€™s always possible to delete a video file, of course, but in Windows 8.1, after youâ€™ve finished watching a video from the Videos app, you had to go find some other tool in which to do so â€“ and hope that you deleted the right one.
In Windows 10 you can use the context menu (right click, or tap and hold) on a video to delete it from your store.
Still needs some more work â€“ it doesnâ€™t display subtitles / closed-captioning, it only orders alphabetically, and thereâ€™s no jumping to the letter â€śQâ€ť by pressing the â€śQâ€ť key, but this app is already looking very functional even for those of us who collect MP4 files to watch.
I really, really liked the Media Center. More than TiVo. We have several Media Center PCs in our house, and now we have to figure out what weâ€™re going to do. Iâ€™m not going back to having a made-for-purpose device that canâ€™t do computing, I want my Media Center. Iâ€™ll try some of its competitors, but itâ€™d be really nice if Microsoft relents and puts support back for Media Center.
Excellent HTML5 compatibility, reduced chance of being hit by third party vulnerabilities, F12 Developer Tools, and still allows me to test for XSS vulnerabilities if I choose to do so.
Pretty much what I want in a browser, although from a security standpoint, the choice to allow two third party
vulnerabilities add-ins into the browser, Flash and Reader, seems to be begging future trouble.
Having said that, you can disable Adobe Flash in the Advanced Settings of your Spartan browser. Iâ€™m going to recommend that you do that on all your non-gaming machines. Then find out which of your web sites need it, and either fix them, or decide whether you can balance the threat of Flash with the utility of that service.
The F12 Developer Tools continue to be a very useful set of web site debugging tools, and assist me greatly in discovering and expanding on web site vulnerabilities. I personally find them easier than debugging tools in other browsers, and they have the benefit of being always installed in recent Microsoft browsers.
The â€śReaderâ€ť view is a nice feature, although it was present in Windows 8.1, and should be used any time you want to actually read the contents of a story, rather than wade through adverts and constant resizing of other content around the text youâ€™re actually interested in.
Because, you know, Iâ€™m all about the XSS.
Internet Explorer has a pretty assertive XSS filter built in, and even when you turn it off in your settings, it still comes back to prevent you. I find this to be tricky, because I sometimes need to convince developers of the vulnerabilities in their apps. Firefox is often helpful here, because it has NO filters, but sometimes the behaviour Iâ€™m trying to show is specific to Internet Explorer.
Particularly, if I type a quote character into the URL in Internet Explorer, it sends a quote character. Firefox will send a %22 or %27 (double or single quotes). So, sometimes IE will trigger behaviour that Firefox doesnâ€™t.
Sadly, although Spartan does seem to still be useful for XSS testing, the XSS filter canâ€™t be specifically turned off in settings. Iâ€™d love to see if I can find a secret setting for this.
Windows has needed a PDF printer since, oh, Windows 3.1. A print driver that prompts you for a file name, and saves whatever youâ€™re printing as a PDF file.
With Office, this kind of existed with Save as PDF. With OneNote, you could Print to OneNote, open the View ribbon, and hide the header, before exporting as a PDF. But thatâ€™s the long way around.
With Windows 10, Microsoft installed a new printer driver, â€śMicrosoft Print to PDFâ€ť. It does what it says on the tin, allowing you to generate PDFs from anywhere that can print.
I use a Surface Pro 3 as my main system, and I have to say that the reversion to a mainly desktop model of operations is nice to my eyes, but a little confusing to the hands â€“ I donâ€™t quite know how to manage things any more.
Sometimes I like to work without the keyboard, because the tablet works well that way. But now I canâ€™t close apps by sliding from top to bottom, even when Iâ€™ve expanded them to full screen. Not sure how Iâ€™m supposed to do this.