Security Basics mailing list archives
RE: [WEB SECURITY] Re: Minimal User Interaction with Links
From: "Schmidt, Chris" <cschmidt () servicemagic com>
Date: Mon, 17 Aug 2009 07:54:22 -0600
FWIW Chrome also says it is an invalid cert... -----Original Message----- From: 51l3n73y3s [mailto:51l3n7 () live in] Sent: Friday, August 14, 2009 5:36 PM To: Steven M. Christey; micheal.espinola () gmail com Cc: security-basics () securityfocus com; websecurity () webappsec org Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steve, I agree completely with you. This link http://www.google.co.in/#hl=en&q=limited+users+test&btnG=Google+Search&m eta=&aq=f&fp=2cf627ce33d082a9 will not give a certificate problem with IE, but with Mozilla Firefox 3.5.2 it throws an invalid certificate for the first website in the results page. Someone trying to fake a military website, Probably? That is off thread, if someone wants to report that. It shouldn't throw the certificate warning at all. All I did was to search in Google for "limited users test" (without quotes) and coincidentally it came up as the first result. Perhaps it's still the first. A bug's been filed at https://bugzilla.mozilla.org/show_bug.cgi?id=510448 cause I think this is not normal. It doesn't happen with 3.0, It doesn't happen with IE 6.0.2900 that I have. The browser is not handling this properly. It should keep that to itself(Block it) even if it's checking each link for validity, though I don't see a reason why it should even do that. -Sandeep Cheema -------------------------------------------------- From: "Steven M. Christey" <coley () linus mitre org> Sent: Saturday, August 15, 2009 2:41 AM To: <micheal.espinola () gmail com> Cc: "51l3n73y3s" <51l3n7 () live in>; <security-basics () securityfocus com>; <websecurity () webappsec org> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:Under normal circumstances, no, it is not possible in this day and
age
(i.e with an up-to-date OS) to automatically execute/save a file by clicking a link.It's possible to do this automatically, without any user interaction,
by
referencing vulnerable ActiveX controls with insecure exposed methods
with
names like DownloadAndExecuteFile() (see CVE-2008-4586 for example). These types of issues are starting to show up fairly regularly in CVE. Very few researchers seem to be paying attention to Firefox plug-ins,
but
once they do, I expect to see similar results there, too. Theoretically it's within the browsers' security models to avoid the automatic save/execute of files, but browser bugs and the
aforementioned
plugin vulnerabilities mean that practically speaking, it's still possible. I assume the more knowledgeable Flash experts among us have their own suggestions. - Steve
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate. We look at how SSL works, how it benefits your company
and
how your customers can tell if a site is secure. You will find out how
to
test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted
to help you ensure efficient ongoing management of your encryption
keys
and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------ ---- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Minimal User Interaction with Links 51l3n73y3s (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Message not available
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Vance, Michael (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Bil Corry (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)