[WEB SECURITY] Re: Minimal User Interaction with Links

51l3n73y3s 51l3n7 at live.in
Mon Aug 17 13:14:09 EDT 2009


You got it wrong too.The certificate is popping right after the "google" 
search, not after clicking on any of the links. I have attached the 
screenshot at the bugzilla link mentioned before.

-Sandeep Cheema

--------------------------------------------------
From: "Schmidt, Chris" <cschmidt at servicemagic.com>
Sent: Monday, August 17, 2009 9:25 PM
To: "51l3n73y3s" <51l3n7 at live.in>; "Steven M. Christey" 
<coley at linus.mitre.org>; <micheal.espinola at gmail.com>
Cc: <security-basics at securityfocus.com>; <websecurity at webappsec.org>
Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links

> It appears to be speedbumping every time I hit that site in Chrome.
>
> Looking in FF 3.0 it also has an issue.
>
> The CA for the Cert is DOD CA-14 - which one would think would be a
> trusted CA if it is legit (which it appears to be).
>
> Perhaps, this is legitimately no longer a trusted CA? Who knows, but, to
> the point, browsers should absolutely be warning you if you visit a site
> which has a non-trusted certificate. This is the only protection you
> have against well orchestrated MiTM attacks.
>
>
>
> -----Original Message-----
> From: 51l3n73y3s [mailto:51l3n7 at live.in]
> Sent: Monday, August 17, 2009 9:23 AM
> To: Schmidt, Chris; Steven M. Christey; micheal.espinola at gmail.com
> Cc: security-basics at securityfocus.com; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
>
> The strange thing is that it stops happening at times and then recurs
> again
> on the same machine, same browser(FF) with the same configuration, same
> machine. Is this behavior noticed with chrome too?
>
> Regards, Sandeep
> --------------------------------------------------
> From: "Schmidt, Chris" <cschmidt at servicemagic.com>
> Sent: Monday, August 17, 2009 7:24 PM
> To: "51l3n73y3s" <51l3n7 at live.in>; "Steven M. Christey"
> <coley at linus.mitre.org>; <micheal.espinola at gmail.com>
> Cc: <security-basics at securityfocus.com>; <websecurity at webappsec.org>
> Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links
>
>> FWIW
>>
>> Chrome also says it is an invalid cert...
>>
>> -----Original Message-----
>> From: 51l3n73y3s [mailto:51l3n7 at live.in]
>> Sent: Friday, August 14, 2009 5:36 PM
>> To: Steven M. Christey; micheal.espinola at gmail.com
>> Cc: security-basics at securityfocus.com; websecurity at webappsec.org
>> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
>>
>> Steve,
>>
>> I agree completely with you.
>>
>> This link
>>
> http://www.google.co.in/#hl=en&q=limited+users+test&btnG=Google+Search&m
>> eta=&aq=f&fp=2cf627ce33d082a9
>> will not give a certificate problem with IE, but with Mozilla Firefox
>> 3.5.2
>> it throws an invalid certificate for the first website in the results
>> page.
>> Someone trying to fake a military website, Probably? That is off
> thread,
>> if
>> someone wants to report that. It shouldn't throw the certificate
> warning
>> at
>> all. All I did was to search in Google for "limited users test"
> (without
>>
>> quotes) and coincidentally  it came up as the first result. Perhaps
> it's
>>
>> still the first. A bug's been filed at
>> https://bugzilla.mozilla.org/show_bug.cgi?id=510448 cause I think this
>> is
>> not normal. It doesn't happen with 3.0, It doesn't happen with IE
>> 6.0.2900
>> that I have. The browser is not handling this properly. It should keep
>> that
>> to itself(Block it) even if it's checking each link for validity,
> though
>> I
>> don't see a reason why it should even do that.
>>
>> -Sandeep Cheema
>>
>>
>> --------------------------------------------------
>> From: "Steven M. Christey" <coley at linus.mitre.org>
>> Sent: Saturday, August 15, 2009 2:41 AM
>> To: <micheal.espinola at gmail.com>
>> Cc: "51l3n73y3s" <51l3n7 at live.in>;
> <security-basics at securityfocus.com>;
>> <websecurity at webappsec.org>
>> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
>>
>>>
>>> On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:
>>>
>>>> Under normal circumstances, no, it is not possible in this day and
>> age
>>>> (i.e with an up-to-date OS) to automatically execute/save a file by
>>>> clicking a link.
>>>
>>> It's possible to do this automatically, without any user interaction,
>> by
>>> referencing vulnerable ActiveX controls with insecure exposed methods
>> with
>>> names like DownloadAndExecuteFile() (see CVE-2008-4586 for example).
>>>
>>> These types of issues are starting to show up fairly regularly in
> CVE.
>>> Very few researchers seem to be paying attention to Firefox plug-ins,
>> but
>>> once they do, I expect to see similar results there, too.
>>>
>>> Theoretically it's within the browsers' security models to avoid the
>>> automatic save/execute of files, but browser bugs and the
>> aforementioned
>>> plugin vulnerabilities mean that practically speaking, it's still
>>> possible.  I assume the more knowledgeable Flash experts among us
> have
>>> their own suggestions.
>>>
>>> - Steve
>>>
>>>
>>
> ------------------------------------------------------------------------
>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs
> an
>> SSL
>>> certificate.  We look at how SSL works, how it benefits your company
>> and
>>> how your customers can tell if a site is secure. You will find out
> how
>> to
>>> test, purchase, install and use a thawte Digital Certificate on your
>>> Apache web server. Throughout, best practices for set-up are
>> highlighted
>>> to help you ensure efficient ongoing management of your encryption
>> keys
>>> and digital certificates.
>>>
>>>
>>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
>> f727d1
>>>
>>
> ------------------------------------------------------------------------
>>>
>>>
>>
>>
> ------------------------------------------------------------------------
>> ----
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list