Comments: Why is is this blog secure? Because there is only one mode, and it is secure!

How come it shows as a certificate error in Internet Explorer? A man-in-the-middle attack from www2.futureware.at?

Posted by Peter at June 21, 2008 01:01 PM

For me it is difficult to say, as I know nobody who uses IE so I can't check.

New versions of IE threatened to turn certificates from unrecognised CAs into a solid warning, and not let session through at all, but I'm not sure if they carried forward with that restriction.

Posted by Iang at June 21, 2008 04:10 PM

The Blogshares image on the right is also on http .. I am gonna keep pissing you off till you move all to http or to HTTPS :P

Also , it seems you have made a cert for www2.futerware.at for this site hahaha .. so I don't think even adding a CACert root cert will solve the issue ... IE is right Peter ! Finally IE is doing it right. ..

Posted by anonymous at June 21, 2008 08:42 PM

Blogshares: yeah, I think the idea is that I'm not supposed to copy their logo. I suppose I could and tell them that "anonymous" says it is more secure that way.

The certificate is a SubjectAltNames one, which means it has multiple names in it. In this case the name is shared between a half dozen different sites, you can examine that in the cert.

The real solution for this is TLS/SNI, which is by far the biggest improvement due in TLS because it makes it usable in this situation ... unfortunately we are still waiting on the web servers (Apache https, Microsoft IIS) to generate this. So meanwhile we are waiting on that, and maybe InternetExplorer can't handle the SubjectAltName certs?

It was supposed to be able to. I guess I'll hunt around for a techie who has IE and ask him to do some checks on versions to narrow down what has gone wrong with IE.

Posted by Iang at June 22, 2008 07:00 AM

>I suppose I could and tell them that "anonymous" says it is more secure that way

My point was I have seen demonstrated attacks in which the user clicks on "show insecure item" in say the gmail inbox/yahoo inbox view and his messages are cracked/mails sent on his name etc. So as a matter of practice I encourage people not to click on that button.

I don't think there is anything particularly wrong in IE , it also says that Root Cert is untrusted (same as firefox), I just can't find the UI to add an exception. I think both IE and firefox detect SubjectAltNames (although I dont seem able to! :) )

And btw, I have heard another tip recommended for security. Use another firefox profile for say banking , paypal , credit card info...and a different profile for day to day surfing. This reduces the attack surface even more as your cookies etc. all are inaccessible from the day-to-day profile.


Posted by anonymous at June 22, 2008 08:09 PM

But it is not only one mode.

http://financialcryptography.com/ should generate a 301, but fails to do so.

http://financialcryptography.com/ fails to redirect to https://financialcryptography.com/

Posted by James A. Donald at June 23, 2008 03:56 AM

Hey Jim, yes, clearly the blog completely and utterly fails to actually reach "one mode". That's mostly a reflection of the difficulty of doing secure browsing and indeed this is the message: those who believe in "secure browsing: should reflect that it is extremely difficult, and a false god. Indeed, I could do all those things suggested, and there would still be problems, serious problems that I could never fix.

I do not intend to spend my life trying to rectify this blog... for that once-in-a-lifetime expenditure, I prefer to rectify something important. The question I have to wrestle with is whether the HTTPS experiment does more damage to spreading the word than it is worth?

Especially as we are now moving into a period where IE might actively promote against FC. Do I desire to be the martyr?

Posted by Iang at June 23, 2008 08:53 AM

Firefox 3.0 makes it difficult and scary for anybody to read your blog via the https:// links.

Posted by Brian Smith at June 23, 2008 04:32 PM

This is an eye opener. I never understood this vulnerability exist. But this post explained the points in a lay-mans language that I can easily relate with . Thanks for sharing.

Posted by Naijaecash at June 30, 2008 03:50 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x555e57340c20) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.