Author Topic: Do not any longer ignore certification browser pop-ups and warnings!  (Read 15575 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #30 on: December 25, 2008, 02:09:03 AM »
Hi darth_mikey,

Yes it is a nice add-on, Perspectives is, sits there in the background, until something smells fishy, and then immediately gets into action. Also have to admit that WOT alerting is also rather reasonable in this respect.
But just imagine as I was reading here a while ago that you're downloading online from a site with the wrong certification, and the downloads matter? What havoc that can bring?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #31 on: December 25, 2008, 02:16:51 AM »
Hi darth_mikey,

Yes it is a nice add-on, Perspectives is, sits there in the background, until something smells fishy, and then immediately gets into action.

But will it smell something fishy when the certificate has been recognized as legitimate since it was issued by Comodo ?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #32 on: December 25, 2008, 02:27:22 AM »
Hi Miha,

Go to Authorities in the Perspectives console, there is Comodo, I did not give it a +, so no authoritative certificates for me in this case, and no bypassing there, it stays on -

Damian


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline SpeedyPC

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3303
  • Avast shall conquer the whole world
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #33 on: December 25, 2008, 12:29:21 PM »
C'mon guys... it's Christmas time ;)

Christmas?  what is Christmas...????..............are you talking about the polonus security if Christmas ;D
ASUS G75VX-T4153H - Avast Premium v20.9.2437 - Avast SecureLine VPN - Avast Secure Browser - Avast Driver Updater - W8.1 64bit - Firefox 64bit - Thunderbird 64bit - MBAM Premium - Adguard Premium - CryptoPrevent Premium - Privacy Eraser - MCShield - WinPatrol PLUS - Macrium Reflect Home Edition

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #34 on: December 25, 2008, 01:14:58 PM »
Christmas?  what is Christmas...????..............are you talking about the polonus security if Christmas ;D
No, I was just trying to make people relax, take it easy, enjoy the forums, specially in this season.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #35 on: December 30, 2008, 04:34:24 PM »
Hi malware fighters,

Who told me that the news in this thread is not actual? It is, and just this very moment SSL Certificates with MD5 hash encryption have been broken by researchers: http://events.ccc.de/congress/2008/wiki/Streaming
Researchers have found a hole in the Internet Public Key Infrastructure (PKI) that can be used issuing providing SSL-certificates for websites, e.g. used by RSA Data Security, Thawte, Verisign en RapidSSL.
The attack could be performed by 200 Playstation 3 sony consoles, the Certification was provided by a CA Authority trusted by all websites, later one uses an "intermediary CA certificate" to sign other certificates, that the researchers want to issue. While the MD5 hashes of ;egit and malicious certificates are identical, one can copy the malicious signature onto the legit one, so that stays a valid one. Researchers predict that SHA1 will be next to be hacked, just a question of time. This will give phishing an enormous boost. Be afraid be very afraid. Perspectives stays inside my browser as is a special list in my firekeeper extension,

polonus

P.S. What measures should be taken now by browser makers? Among the measures this group of researchers is advocating is disabling the use of MD5 signatures, blacklisting rogue certificates, and the required use of more robust cryptographic hashes such as SHA-2 and, when ready, SHA-3, and here are Giorgio Maone's musing on the issue: http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/


Damian
« Last Edit: December 30, 2008, 10:19:13 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #36 on: December 30, 2008, 05:35:34 PM »
LOL ! What an interesting use of those PS3 consoles. ;D

So what you're saying here is we are basically s****d ?? No way of telling which certificate really is the legit one. I wonder what the response from CA,RSA,Verisign and co. will be. This is getting interesting.

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #37 on: December 30, 2008, 06:03:20 PM »
Some more links ... ;)

http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt

http://www.phreedom.org/research/rogue-ca/
Quote
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44541
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #38 on: December 30, 2008, 06:55:05 PM »
This certainly isn't good news.
Until a patch or something else is available, purchasing anything online
could really put you at risk.
2009 could be a very very dangerous year indeed.  >:(
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v20H2 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #39 on: December 30, 2008, 09:18:28 PM »
Hi bob3160,

That does not have to be so. But banks and webshops make use of mentioned certificates. These websites are known by having https in the address bar.
The congress members made clear however that the hole is not inside the SSL-protocol itself, but for the surrounding infrastructure that is being used to issue certificates for a secure website. The researchers did not go over every detail of the exploit to prevent criminal abuse, but warn that people in the know could crack the system within a month's time.

Despite the fact that the security of SSL certification is known as being "weak", the coding system is still very much in use. The first signals that something was wrong with these techniques came as early as 2005. In 2007 there was an advice given to change over to more secure systems. Nothing happened then. The researchers wanted to demonstrate that it is really time now for Certification Authorities to issue other kind of signatures to their certificates. Also browser developers will have to clean up their act to make the situation more secure,

In light of the SSL-certificate issue, there is another option: In Firefox you can install an add-on, named "Show IP" . When the certificate is OK, but the IP address is not, there maybe something really wrong!
https://addons.mozilla.org/en-US/firefox/addon/590


polonus

Networking4all already has a super tool on their website which also tells you what algoritm has been used for all certificates in the chain!

https://www.networking4all.com/nl/helpdesk/tools/site+check/
« Last Edit: December 31, 2008, 12:27:36 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #40 on: December 31, 2008, 06:20:45 PM »
Hi malware fighters,

Here you can find the instructions for the right installation of the Perspectives add-on in Firefox that will protect you against manipulated SSL-C, follow the instructions given here by Giorgio Maone, the developer of the unique extension NoScript: http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/

In the light of the new CA issues and the use of Perpectives, I like to make following comments:
Firstly and foremost I use Perspectives in the recommended settings as given by Giorgio Maone.
I also relaunched the Netcraft toolbar again, download here: https://addons.mozilla.org/en-US/firefox/addon/1326
I am not a favorite of any toolbar as such (not all are friendly to say the least). The web developers toolbar tossed aside. This Netcraft toolbar has not left me down once, & together with ShowIP add-on I have a better understanding where I am going with the browser. To enhance further my in-browser security I have some pre-link checking installed there, finjan in combination with searching via Scandoo.com (I allowed that partially in NoScript), and for the individual pre-link checking: DrWeb's av link checker plug-in: https://addons.mozilla.org/en-US/firefox/addon/938
An additional site check can be found here: https://www.networking4all.com/nl/helpd ... ite+check/ Just put in any url like http://www.networking4all.com to check the installed SSL Certificate

polonus
« Last Edit: January 01, 2009, 06:56:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #41 on: January 02, 2009, 03:10:02 PM »
Hi malware fighters,

What is your opinion about this just released SSL blaclist add-on:
http://www.codefromthe70s.org/sslblacklist.aspx
Is this adding to our security or just overkill if we have NoScript and Perspectives with the right settings?
According to me it is just adding to a feeling of  false alarm when it meets MD5 SSL certificates,

polonus
« Last Edit: January 02, 2009, 03:14:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32816
  • malware fighter
Re: Do not any longer ignore certification browser pop-ups and warnings!
« Reply #42 on: January 05, 2009, 05:36:13 PM »
Hi malware fighters,

According to this man it is time to bury SSL altogether.
re: http://blogs.securiteam.com/index.php/archives/1228

The problem with SSL is that checking some-one's identity is a futile business now.
In the past it could take quite some time before a firm was passed a certificate,
but times have changed in this respect.

"To-day it is not easy to proof who "you" are.
Firms have various websites for various purposes,
and it is not easy to withhold a certificate on the same grounds.
But the situation is even worse: SSL-certificates are abused to such an extent,
that users seemingly do not care any longer."
Aviram notices that for the larger part users ignore CA errors messages .

"SSL-certificates are broke, and have been so for a long time,
not because of a ingenuous attack.
The fact that there is a effective crypto-attack,
only can help to finally bury this relict,
and help towards another solution found."

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!