[WEB SECURITY] Re: Minimal User Interaction with Links

Vance, Michael Michael.Vance at salliemae.com
Mon Aug 17 15:41:50 EDT 2009


I'm wondering if this CA is supposed to be for internal use only and a cert was accidentally issued by it for an external web site.  IE gives cert errors if you actually try to visit the site.  The issuing CA (DOD CA-14) isn't in any trusted signer store that I've found yet.

-Michael

-----Original Message-----
From: Schmidt, Chris [mailto:cschmidt at servicemagic.com] 
Sent: Monday, August 17, 2009 11:56 AM
To: 51l3n73y3s; Steven M. Christey; micheal.espinola at gmail.com
Cc: security-basics at securityfocus.com; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links

It appears to be speedbumping every time I hit that site in Chrome. 

Looking in FF 3.0 it also has an issue.

The CA for the Cert is DOD CA-14 - which one would think would be a
trusted CA if it is legit (which it appears to be).

Perhaps, this is legitimately no longer a trusted CA? Who knows, but, to
the point, browsers should absolutely be warning you if you visit a site
which has a non-trusted certificate. This is the only protection you
have against well orchestrated MiTM attacks.



-----Original Message-----
From: 51l3n73y3s [mailto:51l3n7 at live.in] 
Sent: Monday, August 17, 2009 9:23 AM
To: Schmidt, Chris; Steven M. Christey; micheal.espinola at gmail.com
Cc: security-basics at securityfocus.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links

The strange thing is that it stops happening at times and then recurs
again 
on the same machine, same browser(FF) with the same configuration, same 
machine. Is this behavior noticed with chrome too?

Regards, Sandeep
--------------------------------------------------
From: "Schmidt, Chris" <cschmidt at servicemagic.com>
Sent: Monday, August 17, 2009 7:24 PM
To: "51l3n73y3s" <51l3n7 at live.in>; "Steven M. Christey" 
<coley at linus.mitre.org>; <micheal.espinola at gmail.com>
Cc: <security-basics at securityfocus.com>; <websecurity at webappsec.org>
Subject: RE: [WEB SECURITY] Re: Minimal User Interaction with Links

> FWIW
>
> Chrome also says it is an invalid cert...
>
> -----Original Message-----
> From: 51l3n73y3s [mailto:51l3n7 at live.in]
> Sent: Friday, August 14, 2009 5:36 PM
> To: Steven M. Christey; micheal.espinola at gmail.com
> Cc: security-basics at securityfocus.com; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
>
> Steve,
>
> I agree completely with you.
>
> This link
>
http://www.google.co.in/#hl=en&q=limited+users+test&btnG=Google+Search&m
> eta=&aq=f&fp=2cf627ce33d082a9
> will not give a certificate problem with IE, but with Mozilla Firefox
> 3.5.2
> it throws an invalid certificate for the first website in the results
> page.
> Someone trying to fake a military website, Probably? That is off
thread,
> if
> someone wants to report that. It shouldn't throw the certificate
warning
> at
> all. All I did was to search in Google for "limited users test"
(without
>
> quotes) and coincidentally  it came up as the first result. Perhaps
it's
>
> still the first. A bug's been filed at
> https://bugzilla.mozilla.org/show_bug.cgi?id=510448 cause I think this
> is
> not normal. It doesn't happen with 3.0, It doesn't happen with IE
> 6.0.2900
> that I have. The browser is not handling this properly. It should keep
> that
> to itself(Block it) even if it's checking each link for validity,
though
> I
> don't see a reason why it should even do that.
>
> -Sandeep Cheema
>
>
> --------------------------------------------------
> From: "Steven M. Christey" <coley at linus.mitre.org>
> Sent: Saturday, August 15, 2009 2:41 AM
> To: <micheal.espinola at gmail.com>
> Cc: "51l3n73y3s" <51l3n7 at live.in>;
<security-basics at securityfocus.com>;
> <websecurity at webappsec.org>
> Subject: Re: [WEB SECURITY] Re: Minimal User Interaction with Links
>
>>
>> On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:
>>
>>> Under normal circumstances, no, it is not possible in this day and
> age
>>> (i.e with an up-to-date OS) to automatically execute/save a file by
>>> clicking a link.
>>
>> It's possible to do this automatically, without any user interaction,
> by
>> referencing vulnerable ActiveX controls with insecure exposed methods
> with
>> names like DownloadAndExecuteFile() (see CVE-2008-4586 for example).
>>
>> These types of issues are starting to show up fairly regularly in
CVE.
>> Very few researchers seem to be paying attention to Firefox plug-ins,
> but
>> once they do, I expect to see similar results there, too.
>>
>> Theoretically it's within the browsers' security models to avoid the
>> automatic save/execute of files, but browser bugs and the
> aforementioned
>> plugin vulnerabilities mean that practically speaking, it's still
>> possible.  I assume the more knowledgeable Flash experts among us
have
>> their own suggestions.
>>
>> - Steve
>>
>>
>
------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs
an
> SSL
>> certificate.  We look at how SSL works, how it benefits your company
> and
>> how your customers can tell if a site is secure. You will find out
how
> to
>> test, purchase, install and use a thawte Digital Certificate on your
>> Apache web server. Throughout, best practices for set-up are
> highlighted
>> to help you ensure efficient ongoing management of your encryption
> keys
>> and digital certificates.
>>
>>
>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
> f727d1
>>
>
------------------------------------------------------------------------
>>
>>
>
>
------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


This E-Mail has been scanned for viruses.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list