Many websites operate using outdated or malconfigured SSL-certificates and therefore are vulnerable to attacks, these are the conclusions from a survey to appear later this month. Rodney Thayer will make a presentation on his survey-results during the Chaos Communication Congress (CCC) in Berlin
(Dec. 27-30). It concerns dozens of problems found in SSL-certificates. “I show some web shops providing both access to wxw.shop.com as shop.com as well. They think this is helping users, but it can hamper SSL-certificates grand time.”
Also Thayer found numerous sites with outdated certificates or using outdated vulnerable technologies like SSL 2 or 40-bit RC-4. “There is absolutely no reason to use SSL 2 any longer, where everybody knows it is “broken”. In most cases using RC-4 can be a reason for a retailer to fail a PCI audit. One should not see these types of technologies anymore.”
Check and double-check
Next to implementation problems also better standards should be brought in for certificate authorization suppliers. “During my survey I have found 247 legit certificate authorities, varying from the well-known Verisign organization to a small organization in Turkey that hands out free certificates almost “on the fly”.
No Industrial Standards existing at the moment for certificate authority.”
While certificate authorities does not always verify the validity of a certificate, firms should do this themselves on a regular basis, according to mentioned researcher. Users are advised to no longer ignore browser pop-ups and warnings. “Check your SSL-connection before you send sensible data.” In Firefox you can use the Perspectives add-on to check verification and SSL Blacklist plug-in,
No, off course it always has been an important issue. As I remember right not so long ago Vlk also pointed out at the importance of good certificate authentication against malware. Especially as I visit coder pages for my interest in secure browser code, I see webpages where I am alerted that something is not completely OK with that page’s certificate. It is not explicately saying watch out there could be malicious content here, but in these cases I start to prick my ears security/wise,
This is just like saying “it is time to pay attention when avast tells you it found a virus”.
polonus does a wonderful job of alerting us to information gleaned from his keen anti-malware research - but that does not mean that every report he passes on to this forum should pass without question or comment other than the usual admiration.
Hey alanrf , I feel that info like this isn’t really directed at the regulars, but at the new members who unlike us, really don’t know much about security and who come here to learn.
I have the Perspectives add-on but I confess to not using it much at all, so it isn’t just newbies, familiarity can breed contempt.
But we can also go overboard as far as security goes and it becomes all consuming and you spend all your time keeping your security apps, add-ons, etc. up to date.
Yes, thank you, Polonus. As a matter of fact, there were two Windows XP systems I went to that were using IE7, but had the optional root certificates update missing. So I remembered it was a good idea to install that update as it provides an additional and much appreciated layer of security.
Indeed, Polonus’ advice should be heeded, unless you want to let all the bad bugs enter your system, and then blame every one else for your failing systems, but not yourselves.
Very good observation of you. So do not take things for granted, and do not trust things at first glance.
Also there are many selling sites that sell things without https. There are other ways to get to the data for the cybercriminals like SQL-injection etc., but also let us not forget the obvious, practical examples like the one you gave here, are very instructional for the users of this forum section, thank you for posting,
Would expect absolutely nothing from such a pomp⋅ous forum member, that holds oneself in such high esteem as to not recognize ones own unnecessary sarcastic jibe.
I don’t recall asking you for anything, as for an apology I very much doubt it a word you would utter freely?
Allowing for your emotional venting … I have apologized before in these forums … but not today and not to you.
BTW what we are seeing in this thread is rather inverted logic.
So do not take things for granted, and do not trust things at first glance.
Like the report posted by polonus.
I was stating (albeit with some irony - perhaps the difference is not clear to some posters) that I did already take these warning seriously. Where is the evidence that others do not? I see none given. And then we have the subtle change to:
Also there are many selling sites that sell things without https
Very true … let the buyer beware … but what has that got to do with certificate warning in any way shape or form?
And the continuing obfuscation as a fig leaf to avoid the point I made. I think most users are already concerned when they see a certificate problem. This was, from the start, a posting of a report that is an answer looking for a problem.
My goodness how emotional of me!
Your comments re Polonus’s post were not sarcastic, totally necessary, Polonus’s sole intention as you pointed out, was to have us all heap admiration upon him.
Following a private discussion tednelly (for which my thanks) has made clear to me that my earlier comments in this thread are, or very close to being, a personal criticism of polonus whose intent in starting this thread was, I know, based solely on helping others in the forum.
My intent was to question the information being posted by polonus - which is legitimate - and not to impugn polonus or the right of polonus to post the information. For my failure in my wording to be clear in this I must apologize to polonus.
