Security Basics mailing list archives
RE: [WEB SECURITY] Re: Minimal User Interaction with Links
From: "Vance, Michael" <Michael.Vance () salliemae com>
Date: Mon, 17 Aug 2009 15:41:50 -0400
I'm wondering if this CA is supposed to be for internal use only and a cert was accidentally issued by it for an external web site. IE gives cert errors if you actually try to visit the site. The issuing CA (DOD CA-14) isn't in any trusted signer store that I've found yet. -Michael -----Original Message----- From: Schmidt, Chris [mailto:cschmidt () servicemagic com] Sent: Monday, August 17, 2009 11:56 AM To: 51l3n73y3s; Steven M. Christey; micheal.espinola () gmail com Cc: security-basics () securityfocus com; websecurity () webappsec org Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links It appears to be speedbumping every time I hit that site in Chrome. Looking in FF 3.0 it also has an issue. The CA for the Cert is DOD CA-14 - which one would think would be a trusted CA if it is legit (which it appears to be). Perhaps, this is legitimately no longer a trusted CA? Who knows, but, to the point, browsers should absolutely be warning you if you visit a site which has a non-trusted certificate. This is the only protection you have against well orchestrated MiTM attacks. -----Original Message----- From: 51l3n73y3s [mailto:51l3n7 () live in] Sent: Monday, August 17, 2009 9:23 AM To: Schmidt, Chris; Steven M. Christey; micheal.espinola () gmail com Cc: security-basics () securityfocus com; websecurity () webappsec org Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links The strange thing is that it stops happening at times and then recurs again on the same machine, same browser(FF) with the same configuration, same machine. Is this behavior noticed with chrome too? Regards, Sandeep -------------------------------------------------- From: "Schmidt, Chris" <cschmidt () servicemagic com> Sent: Monday, August 17, 2009 7:24 PM To: "51l3n73y3s" <51l3n7 () live in>; "Steven M. Christey" <coley () linus mitre org>; <micheal.espinola () gmail com> Cc: <security-basics () securityfocus com>; <websecurity () webappsec org> Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links
FWIW Chrome also says it is an invalid cert... -----Original Message----- From: 51l3n73y3s [mailto:51l3n7 () live in] Sent: Friday, August 14, 2009 5:36 PM To: Steven M. Christey; micheal.espinola () gmail com Cc: security-basics () securityfocus com; websecurity () webappsec org Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steve, I agree completely with you. This link
http://www.google.co.in/#hl=en&q=limited+users+test&btnG=Google+Search&m
eta=&aq=f&fp=2cf627ce33d082a9 will not give a certificate problem with IE, but with Mozilla Firefox 3.5.2 it throws an invalid certificate for the first website in the results page. Someone trying to fake a military website, Probably? That is off
thread,
if someone wants to report that. It shouldn't throw the certificate
warning
at all. All I did was to search in Google for "limited users test"
(without
quotes) and coincidentally it came up as the first result. Perhaps
it's
still the first. A bug's been filed at https://bugzilla.mozilla.org/show_bug.cgi?id=510448 cause I think this is not normal. It doesn't happen with 3.0, It doesn't happen with IE 6.0.2900 that I have. The browser is not handling this properly. It should keep that to itself(Block it) even if it's checking each link for validity,
though
I don't see a reason why it should even do that. -Sandeep Cheema -------------------------------------------------- From: "Steven M. Christey" <coley () linus mitre org> Sent: Saturday, August 15, 2009 2:41 AM To: <micheal.espinola () gmail com> Cc: "51l3n73y3s" <51l3n7 () live in>;
<security-basics () securityfocus com>;
<websecurity () webappsec org> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with LinksOn Fri, 14 Aug 2009, Micheal Espinola Jr wrote:Under normal circumstances, no, it is not possible in this day andage(i.e with an up-to-date OS) to automatically execute/save a file by clicking a link.It's possible to do this automatically, without any user interaction,byreferencing vulnerable ActiveX controls with insecure exposed methodswithnames like DownloadAndExecuteFile() (see CVE-2008-4586 for example). These types of issues are starting to show up fairly regularly in
CVE.
Very few researchers seem to be paying attention to Firefox plug-ins,butonce they do, I expect to see similar results there, too. Theoretically it's within the browsers' security models to avoid the automatic save/execute of files, but browser bugs and theaforementionedplugin vulnerabilities mean that practically speaking, it's still possible. I assume the more knowledgeable Flash experts among us
have
their own suggestions. - Steve
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs
an
SSLcertificate. We look at how SSL works, how it benefits your companyandhow your customers can tell if a site is secure. You will find out
how
totest, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up arehighlightedto help you ensure efficient ongoing management of your encryptionkeysand digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
---- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA This E-Mail has been scanned for viruses. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Minimal User Interaction with Links 51l3n73y3s (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Message not available
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Schmidt, Chris (Aug 18)
- RE: [WEB SECURITY] Re: Minimal User Interaction with Links Vance, Michael (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Bil Corry (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links 51l3n73y3s (Aug 18)
- Re: [WEB SECURITY] Re: Minimal User Interaction with Links Steven M. Christey (Aug 14)
- Re: Minimal User Interaction with Links Micheal Espinola Jr (Aug 14)