Author Topic: Do not any longer ignore certification browser pop-ups and warnings!  (Read 14624 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32270
  • malware fighter
Hi malware fighters,

Many websites operate using outdated or malconfigured SSL-certificates and therefore are vulnerable to attacks, these are the conclusions from a survey to appear later this month. Rodney Thayer will make a presentation on his survey-results during the Chaos Communication Congress (CCC) in Berlin
(Dec. 27-30). It concerns dozens of problems found in SSL-certificates. "I show some web shops providing both access to wxw.shop.com as shop.com as well. They think this is helping users, but it can hamper SSL-certificates grand time."

Also Thayer found numerous sites with outdated certificates or using outdated vulnerable technologies like SSL 2 or 40-bit RC-4. "There is absolutely no reason  to use SSL 2 any longer, where everybody knows it is "broken". In most cases using RC-4 can be a reason for a retailer to fail a PCI audit. One should not see these types of technologies anymore."

Check and double-check
Next to implementation problems also better standards should be brought in for certificate authorization suppliers. "During my survey I have found 247 legit certificate authorities, varying from the well-known Verisign organization to a small organization in Turkey that hands out free certificates almost "on the fly".
No Industrial Standards existing at the moment for certificate authority."

While certificate authorities does not always verify the validity of a certificate, firms should do this themselves on a regular basis, according to mentioned researcher. Users are advised to no longer ignore browser pop-ups and warnings. "Check your SSL-connection before you send sensible data." In Firefox you can use the Perspectives add-on to check verification and SSL Blacklist plug-in,

« Last Edit: December 18, 2008, 09:21:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #1 on: December 19, 2008, 08:44:00 AM »
Good advice, Thanks polonus.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #2 on: December 19, 2008, 08:59:48 AM »
***

Thanks for the info, Polonus.   :)


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #3 on: December 19, 2008, 09:24:21 AM »
And there was me thinking all this time that paying attention to these warnings was important. 

You mean it only really became important today when you reminded us?

Offline TedNelly

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1538
  • Trust No-One!
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #4 on: December 19, 2008, 10:46:25 AM »
And there was me thinking all this time that paying attention to these warnings was important. 

You mean it only really became important today when you reminded us?

Totally unnecessary sarcastic comment!
Windows 10 Pro | Intel I7 CPU | 16 Gig 2133 RAM | Avast beta 17.5.2295 | Firefox 54 b9(64-bit) | Cyberfox 52.1 | T-Bird 52.1.1 | SpyWareBlaster 5.5 | MalwareBytes 3.0.0.865 | WinPatrol 35.5.2 | GlassWire 1.2.100 | Cybereason Ransomfree 2.2.7 |  Pulla-dePlug Final!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #5 on: December 19, 2008, 12:51:10 PM »
C'mon guys... it's Christmas time ;)
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32270
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #6 on: December 19, 2008, 01:25:02 PM »
Hi alanrf,

No, off course it always has been an important issue. As I remember right not so long ago Vlk also pointed out at the importance of good certificate authentication against malware. Especially as I visit coder pages for my interest in secure browser code, I see webpages where I am alerted that something is not completely OK with that page's certificate. It is not explicately saying watch out there could be malicious content here, but in these cases I start to prick my ears security/wise,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #7 on: December 19, 2008, 02:32:49 PM »
With no apology to tednelly whatsoever ...

This is just like saying "it is time to pay attention when avast tells you it found a virus".

polonus does a wonderful job of alerting us to information gleaned from his keen anti-malware research - but that does not mean that every report he passes on to this forum should pass without question or comment other than the usual admiration.

 




Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #8 on: December 19, 2008, 06:58:37 PM »
With no apology to tednelly whatsoever ...

This is just like saying "it is time to pay attention when avast tells you it found a virus".

polonus does a wonderful job of alerting us to information gleaned from his keen anti-malware research - but that does not mean that every report he passes on to this forum should pass without question or comment other than the usual admiration.



Hey alanrf , I feel that info like this isn't really directed at the regulars, but at the new members who unlike us, really don't know much about security and who come here to learn.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82740
  • No support PMs thanks
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #9 on: December 19, 2008, 07:22:25 PM »
I have the Perspectives add-on but I confess to not using it much at all, so it isn't just newbies, familiarity can breed contempt.

But we can also go overboard as far as security goes and it becomes all consuming and you spend all your time keeping your security apps, add-ons, etc. up to date.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #10 on: December 19, 2008, 07:45:23 PM »
you spend all your time keeping your security apps, add-ons, etc. up to date.
This is why I love auto-updates programs... specially when you can count with bandwidth ;)
The best things in life are free.

Offline doomer

  • Jr. Member
  • **
  • Posts: 29
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #11 on: December 19, 2008, 10:26:55 PM »
Yes, thank you, Polonus. As a matter of fact, there were two Windows XP systems I went to that were using IE7, but had the optional root certificates update missing. So I remembered it was a good idea to install that update as it provides an additional and much appreciated layer of security.

Indeed, Polonus' advice should be heeded, unless you want to let all the bad bugs enter your system, and then blame every one else for your failing systems, but not yourselves.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #12 on: December 19, 2008, 11:23:51 PM »
optional root certificates update
Why doesn't Microsoft release this as "critical"?
The best things in life are free.

Offline doomer

  • Jr. Member
  • **
  • Posts: 29
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #13 on: December 19, 2008, 11:33:51 PM »
Beats me. ;)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32270
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #14 on: December 19, 2008, 11:55:18 PM »
Hi Doomer,

Very good observation of you. So do not take things for granted, and do not trust things at first glance.
Also there are many selling sites that sell things without https. There are other ways to get to the data for the cybercriminals like SQL-injection etc., but also let us not forget the obvious, practical examples like the one you gave here, are very instructional for the users of this forum section, thank you for posting,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!