Category Archives: security

Authenticode and SHA1–Redux

I tried to install Telerik DevCraft Ultimate, but Windows 8.1 and Windows 10 blocked it: “Unknown Publisher”? Hrm. That’s weird. I know Telerik signs their code and I was pretty sure their code-signing certificate is SHA256, so the new restrictions on SHA1 in code-signing shouldn’t be a problem, right? Sure enough, the code is signed with a SHA256Continue reading “Authenticode and SHA1–Redux”

SHA-1 Certificates Blocked By Authenticode

Twitter started to light up a bit tonight with folks who are having problems with signatures; both third-party ISVs: … and even Microsoft’s own SysInternals utilities show1 an error: Developers are surprised to see their workflow suddenly broken and wonder why. The problem is outlined here – the tl;dr is that you must use a SHA256-signedContinue reading “SHA-1 Certificates Blocked By Authenticode”

Authenticode in 2016

Last month, I noticed that my eToken USB code-signing key only supports SHA1 and not SHA256. I began hunting for a replacement that can sign using the stronger hash. Fortunately, I didn’t have to look far—the Yubico YubiKey 4 is $40 and supports SHA256, RSA 4096, and ECC p384. Beyond supporting stronger algorithms, it seems toContinue reading “Authenticode in 2016”

Certificates Matter

Recently, my web host stopped supporting the FrontPage Server Extensions used by Microsoft Expression Web 4 for website publishing (FPSE is now out-of-support). FPSE allowed me to publish to my site over a HTTPS connection, helping keep my password safe and my uploaded files unmodified. Unfortunately, the alternative FTP transport is completely insecure–passwords and dataContinue reading “Certificates Matter”