Security Basics mailing list archives
Fake Security Certificate
From: Muhammad Saqib <devj.nullj () gmail com>
Date: Fri, 4 Jul 2014 11:15:19 +0500
Hello All I am in a little bit of fix relating to security of my office email and thought to seek advice of community here. I work in a small company and our office email is hosted on Google. A few days ago, I tried to change the password of my email and instead of opening the usual Google page for password change, it redirected me to passwordchange.mycompanydomain.com and my browser told me that the security certificate of this webpage cannot be trusted. nslookup passwordchange.mycompanydomain.com revealed that this webpage is indeed hosted by the server managed by our system administrator. Obviously, the password change link in the Google mail has been redirected to this webpage by our system administrator who is also responsible for managing and hosting of office email on Google and has the rights to edit such information. I would like to ask: 1. Is this something which I should ignore and continue with my email as earlier? 2. One possible reason for system administrator to do this could be enabling single sign on service for the users i.e. same password for email and the domain log on on office computers. By collecting the password from the email, the system admin can save the same password for domain log on. However, is this excuse good enough to allow for such practice? 3. Even if it is being used for single sign on, isn't there any way that an application using a trusted certificate can be used for this purpose? I would greatly appreciate your expert opinion on this. Regards ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Fake Security Certificate Muhammad Saqib (Jul 04)
- RE: Fake Security Certificate Dennis E. Hamilton (Jul 04)
- Re: Fake Security Certificate Muhammad Saqib (Jul 08)
- Re: Fake Security Certificate Security Admin (Jul 04)
- RE: Fake Security Certificate Dennis E. Hamilton (Jul 04)