QuickBooks And The Case Of The Not-Before Root Certificates

Source: Ars Technica QuickBooks And The Case Of The Not-Before Root Certificates

Now You See It, Now You Don’t … Oh Wait, It’s Back

Microsoft did a good thing which unfortunately produced some bad results for some sysadmins.  They have a system in place to deprecate ancient root certificates, as it is very much best practice to do.  The problem is that while it is relatively easy to update the root certificates on a website, updating ones for apps is much less fun.  Microsoft changed the trust of a 2019 certificate from Symantec, previously it was trusted as long as the certificate was from before 2019 but not if it was issued afterwards.  After various enterprises ran into software installation errors because of the untrusted root certificates they change the setting back to what it had been.  

The reason they wanted to deprecate the certificate dates back to 2015, when Symantec was caught issuing improper certificates by Google.  Google determined that over to 30,000 improper certificates had been issued, which makes for a monstrous security concern as an enterprising hacker could take advantage of this to install software on other machines or impersonate a secure website..  After Google laid down an ultimatum and then followed through on it and their Chrome browser was set to not trust any certificate issued by Symantec.  This move was adopted by numerous other companies, and any certificate issued before 2019 stopped being accepted.

The one exception, until recently, was Microsoft.  They were happy to continue to accept those certificates; when they did break that trust they discovered any number of legacy apps which required them. They have reversed course for now, but we really need to get rid of these ancient root certificates!

Ars Technica delves into the details here.

The VeriSign Class 3 Public Primary Certification Authority – G5 is distrusted as of 2019 and was set to “NotBefore” in a previous release. This means that certificates issued after the NotBefore date will no longer be trusted; however, certificates issued before the NotBefore date will continue to be trusted.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!