#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal.
-
@manawyrm @azonenberg @jik @zackwhittaker (yes just checked and this is exactly how it works)
@gsuberland @manawyrm @azonenberg @jik @zackwhittaker the certificates used to sign them do have an expiry but timestamps solve both expired cert and expired CA. The only way to revoke it is to add that cert to a CRL and leave it there permanently. I've no idea if the windows kernel checks crls or just maintains a list of blocked certs but I'd expect it to share the logic with windows and keep a cached crl (could be wrong, a long time since I cared much about windows drivers).
UEFI I don't think checks either expiry or timestamps at all. Instead it has the dbx which can contain blocked certificates or hashes of binaries that should not load.
-
@gsuberland @manawyrm @azonenberg @jik @zackwhittaker the certificates used to sign them do have an expiry but timestamps solve both expired cert and expired CA. The only way to revoke it is to add that cert to a CRL and leave it there permanently. I've no idea if the windows kernel checks crls or just maintains a list of blocked certs but I'd expect it to share the logic with windows and keep a cached crl (could be wrong, a long time since I cared much about windows drivers).
UEFI I don't think checks either expiry or timestamps at all. Instead it has the dbx which can contain blocked certificates or hashes of binaries that should not load.
@gsuberland @manawyrm @azonenberg @jik @zackwhittaker they're blocked on signing new builds.
-
@gsuberland @manawyrm @azonenberg @jik @zackwhittaker the certificates used to sign them do have an expiry but timestamps solve both expired cert and expired CA. The only way to revoke it is to add that cert to a CRL and leave it there permanently. I've no idea if the windows kernel checks crls or just maintains a list of blocked certs but I'd expect it to share the logic with windows and keep a cached crl (could be wrong, a long time since I cared much about windows drivers).
UEFI I don't think checks either expiry or timestamps at all. Instead it has the dbx which can contain blocked certificates or hashes of binaries that should not load.
@diagprov @manawyrm @azonenberg @jik @zackwhittaker yup that tracks with my understanding of it. Windows does have a driver cert revocation mechanism and a more general blocklist to prevent loading known-vulnerable drivers, but I haven't studied it in detail.
-
@diagprov @manawyrm @azonenberg @jik @zackwhittaker yup that tracks with my understanding of it. Windows does have a driver cert revocation mechanism and a more general blocklist to prevent loading known-vulnerable drivers, but I haven't studied it in detail.
@gsuberland @manawyrm @azonenberg @jik @zackwhittaker me neither but given how closely uefi code looks to Microsoft C code I bet the mechanism of dbx is very similar to the kernel.
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik yeah, I just decided never to back up anywhere that wasn't a disk I owned...
-
@diagprov @manawyrm @azonenberg @jik @zackwhittaker yup that tracks with my understanding of it. Windows does have a driver cert revocation mechanism and a more general blocklist to prevent loading known-vulnerable drivers, but I haven't studied it in detail.
@gsuberland @diagprov @manawyrm @azonenberg @jik @zackwhittaker there are two types of revocation lists, the old one that can revoke certs and binaries by hash (two different lists for boot and drivers), and the new one that's just a CiPolicy and can therefore revoke by anything that a CiPolicy supports. -
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik@federate.social @zackwhittaker@mastodon.social depending on microslop has consequences tbh
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik @zackwhittaker what
Why would being unable to sign stuff stop you from booting and decrypting your disk "in a few months"
What did VeraCrypt do
Why do they even have M$ signing keys
Whay
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch -
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost.
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch@jik @zackwhittaker big tech can eat a big dick
-
Z zak@infosec.exchange shared this topic
