SANS ISC is reporting that people are receiving spam indicating that a server upgrade is occurring and people will need to manually update their SSL certificates. As if there weren’t already enough problems with SSL.
I have to say, this is interesting and if anyone has any examples of the message (with mail headers) or a valid email link, please share it with me (treguly@thisdomain).
A while back we posted a screenshot of the Rogers Webmail SSLFail. I decided to follow-up with Rogers to see if they were going to resolve the issue anytime soon. I contacted Rogers and asked if they were going to fix the issue, a couple of days later (July 11th) I received a canned response with no real information:
Dear Tyler,
Thank you for taking the time to write to us, we appreciate your use of
online customer service.In your recent email, you have informed us that you would like to know
when we will fix an issue with SSL warnings.Please accept our apologies for any difficulties that you may have
experienced while using Rogers services. Rogers strives for excellence
in customer service and we’re sorry that we did not meet your
expectations. Be assured that we take your concerns very seriously, and
appreciate the feedback that you have provided and this has been sent to
the appropriate group for their review. If you have any further
questions or requests please let us know.Thank you for contacting Rogers. For additional information please visit
our website at www.rogers.com. You are a valued customer and we thank
you for your business.For future email correspondence with respect to this e-mail, please
quote reference number XXXXXXXX
I have recieved no additional communication to let me know if they would be fixing this issue or not. I’m guessing they don’t take their SSL issues to be very serious as the issue still exists.
As a side note, in order to contact Rogers about a “website issue”, I had to provide an account number. The account 12345679 was accepted, but I couldn’t believe I needed an account number in order to contact them about there website. That’s ridiculous.
I have to say that when I came across this blog post, I just sat there laughing. Then I stopped laughing when I realized what an issue this is, could you imagine if many sites started doing this and people believed that their transactions were “secured” by SSL. Everyone talks about compliance standards but maybe we need something a little more serious. A way of shutting down sites that do something like this, or at the very least, a fine that causes severe monetary impact to their business.
I realize that you can’t police the internet, but individual countries can police companies that operate within their borders, so let’s start there. We simply need someone to bring it up at the G8 meeting, after all this is much more important than all the discussions on the fictitious issue of global warming. If you require a business permit to operate in a business legally and have to pay taxes and abide by laws, subject the companies to additional regulations related to tricking the customer on the web, or not following best practices. It’s that simple.
I’m sure people will argue that it’s impossible to police the internet, which is why you stick to this per country basis. There will always be malicious sites that dupe the user… that’s unavoidable but in the countries that can do something… do it. Punish these businesses for malicious actions. Take the example that started this post, slap aferry.co.uk with a $10,000 fine. See if they bypass buying that $10 SSL cert again.
We had an interesting screen shot sent in today from Sheldon (his post on the subject). It appears as though the SSL certificate on LinkedIn expired today and they waited until after the expiration to update their cert, leaving people with SSL errors temporarily. This doesn’t seem like a great way to foster user trust, I’d prefer my sites update their certificates early, rather than wait for them to expire. If this was a matter of they forgot the date and weren’t ready for the expiration, then I’m really concerned, that mistake should not happen… especially with a site I trust with so much of my personal information.
Jay posted on this previously and we had a brief discussion surrounding it in the comments, but I wanted to bring this up again because I’m really not a fan of it, and I wanted to make sure people are paying attention. Oh yeah and discuss, discuss, discuss — let’s have some chatter 
I always had two pet peeves about a number of the websites I frequent. First, they frequently required me to whitelist them on NoScript, which I wasn’t a fan of and second, the SSL versions of the sites often gave large Mixed-Content warnings. These warnings are annoying, distracting and honestly disruptive to the user experience. I’ll be the first to admit to that. It seems that some browsers listened to these complaints. I just recently remembered when visiting my personal blog that these warnings no longer exist when using Firefox. Sure if you look in the bottom corner there’s a little red exclamation mark over the lock but it doesn’t contain the full screen warning that a Domain Mismatch or Self Signed Cert cause.
ComputerDefense.org via HTTPS
See it there, next to Fiddler: Disabled… a little time red exclamation mark. That’s all the warning you get. So what do other browsers do? Well, Chrome gives you a slightly bigger, yellow-ish exclamation mark in the address bar, yet it still allows the content to load. IE on the other hand brings up a pop-up (pictured below) prompting the user if they want to load the insecure data or not. It’s not as vocal as it could be, but it’s better than nothing.
IE Pop-up for Mixed-Content
So why am I blogging about this? After all I said they were annoying and distracting and it seems that the browser vendors are removing them. That’s a good thing… isn’t it? Nope, definitely not a good thing.
Let’s think about some of the pages that throw large, screaming, in-your-face type errors. Let’s take two examples, Self Signed Cert and Domain Mismatch. Now remember that the aim of SSL is two-fold. One is to provide verification of the source of the data, the other is to provide encryption.
Does a Self-Signed Cert provide encryption? Yes.
Does a Certificate with a Domain Mismatch provide encryption? Yes.
Does a site with Mixed-Content provide encryption? Partially.
Does a Self Signed Cert provide site verification? No.
Does a Certificate with a Domain Mismatch provide site verification? No.
Does a site with Mixed-Content provide site verification? Partially.
So Yes + No = In-Your-Face Error
Yet, Partially + Partially = Tiny Little Error in the Corner
I would say that Mixed-Content is more dangerous than both a Self-Signed Cert and a Domain Mismatch, yet they’ve been treated as more serious issues. I’m don’t understand that logic, and I’m not sure that I ever will.
kingthorin pointed us to https://financialcryptography.com
Checking out the site reminded me how cool some of Chrome’s SSL related info was when visiting an epic SSLfail site.
I know that we’ve been quiet lately, both here and on our personal blogs. I know, for myself, the last few months have been rather hectic and now that things are starting to quiet down a bit, I’ll finally have time to research, post and play.
In the mean time I wanted to discuss something rather exciting, we submitted a SSLFail.com Panel to SecTor and it has been accepted. The details of the panel are still being discussed but it will prove to be a rather fun and informative session.
This will be the 3rd annual SecTor conference and I’ve attended both previous conferences, it is a really great time and I hope to see lots of our readers in the audience and taking part as we’re hoping for lots of audience participation.
Royal Pingdom has a post up mention that Netcraft has announced there are now one million sites that are using SSL. That’s valid certs, trusted by a third party, not expired and where the common name matches the hostname. That’s a far cry from the 3293 found in Netcrafts first SSL survey.
Does this survey catch everything? Probably not, but it’s most likely a good starting point.
Now, how did Royal Pingdom determine that there are potentially 219K in expired certs? They based it on a 2007 survey from Venafi (referenced here), that said 18% of Fortune 1000 websites had expired certificates. They applied the percentage to the Netcraft total and, voila… 219K. They also go on to say that even if you have that it’s still 100K websites with expired certificates.
I’d be willing to wager a guess that if the number is off it’s mark, that it’s probably too low rather than two high. I encounter sites all the time with expired certs. Mind you, since we started SSLFail.com, I’ve had a harder time finding them. However, I did happen to stumble across one just the other day and since we don’t feature screenshots with IE often enough… here you go.
OpenRCE.org Expired SSL
© 2010 SSLFail.com. All Rights Reserved.
