[WEB SECURITY] Re: Minimal User Interaction with Links

Schmidt, Chris cschmidt at servicemagic.com
Mon Aug 17 09:54:22 EDT 2009


FWIW

Chrome also says it is an invalid cert... 

-----Original Message-----
From: 51l3n73y3s [mailto:51l3n7 at live.in] 
Sent: Friday, August 14, 2009 5:36 PM
To: Steven M. Christey; micheal.espinola at gmail.com
Cc: security-basics at securityfocus.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links

Steve,

I agree completely with you.

This link 
http://www.google.co.in/#hl=en&q=limited+users+test&btnG=Google+Search&m
eta=&aq=f&fp=2cf627ce33d082a9 
will not give a certificate problem with IE, but with Mozilla Firefox
3.5.2 
it throws an invalid certificate for the first website in the results
page. 
Someone trying to fake a military website, Probably? That is off thread,
if 
someone wants to report that. It shouldn't throw the certificate warning
at 
all. All I did was to search in Google for "limited users test" (without

quotes) and coincidentally  it came up as the first result. Perhaps it's

still the first. A bug's been filed at 
https://bugzilla.mozilla.org/show_bug.cgi?id=510448 cause I think this
is 
not normal. It doesn't happen with 3.0, It doesn't happen with IE
6.0.2900 
that I have. The browser is not handling this properly. It should keep
that 
to itself(Block it) even if it's checking each link for validity, though
I 
don't see a reason why it should even do that.

-Sandeep Cheema


--------------------------------------------------
From: "Steven M. Christey" <coley at linus.mitre.org>
Sent: Saturday, August 15, 2009 2:41 AM
To: <micheal.espinola at gmail.com>
Cc: "51l3n73y3s" <51l3n7 at live.in>; <security-basics at securityfocus.com>; 
<websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links

>
> On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:
>
>> Under normal circumstances, no, it is not possible in this day and
age
>> (i.e with an up-to-date OS) to automatically execute/save a file by
>> clicking a link.
>
> It's possible to do this automatically, without any user interaction,
by
> referencing vulnerable ActiveX controls with insecure exposed methods
with
> names like DownloadAndExecuteFile() (see CVE-2008-4586 for example).
>
> These types of issues are starting to show up fairly regularly in CVE.
> Very few researchers seem to be paying attention to Firefox plug-ins,
but
> once they do, I expect to see similar results there, too.
>
> Theoretically it's within the browsers' security models to avoid the
> automatic save/execute of files, but browser bugs and the
aforementioned
> plugin vulnerabilities mean that practically speaking, it's still
> possible.  I assume the more knowledgeable Flash experts among us have
> their own suggestions.
>
> - Steve
>
>
------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
SSL 
> certificate.  We look at how SSL works, how it benefits your company
and 
> how your customers can tell if a site is secure. You will find out how
to 
> test, purchase, install and use a thawte Digital Certificate on your 
> Apache web server. Throughout, best practices for set-up are
highlighted 
> to help you ensure efficient ongoing management of your encryption
keys 
> and digital certificates.
>
>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>
------------------------------------------------------------------------
>
> 

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list