.:SSLFail:.

Jay posted on this previously and we had a brief discussion surrounding it in the comments, but I wanted to bring this up again because I’m really not a fan of it, and I wanted to make sure people are paying attention. Oh yeah and discuss, discuss, discuss — let’s have some chatter

I always had two pet peeves about a number of the websites I frequent. First, they frequently required me to whitelist them on NoScript, which I wasn’t a fan of and second, the SSL versions of the sites often gave large Mixed-Content warnings. These warnings are annoying, distracting and honestly disruptive to the user experience. I’ll be the first to admit to that. It seems that some browsers listened to these complaints. I just recently remembered when visiting my personal blog that these warnings no longer exist when using Firefox. Sure if you look in the bottom corner there’s a little red exclamation mark over the lock but it doesn’t contain the full screen warning that a Domain Mismatch or Self Signed Cert cause.

ComputerDefense.org via HTTPS

See it there, next to Fiddler: Disabled… a little time red exclamation mark. That’s all the warning you get. So what do other browsers do? Well, Chrome gives you a slightly bigger, yellow-ish exclamation mark in the address bar, yet it still allows the content to load. IE on the other hand brings up a pop-up (pictured below) prompting the user if they want to load the insecure data or not. It’s not as vocal as it could be, but it’s better than nothing.

IE Pop-up for Mixed-Content

So why am I blogging about this? After all I said they were annoying and distracting and it seems that the browser vendors are removing them. That’s a good thing… isn’t it? Nope, definitely not a good thing.

Let’s think about some of the pages that throw large, screaming, in-your-face type errors. Let’s take two examples, Self Signed Cert and Domain Mismatch. Now remember that the aim of SSL is two-fold. One is to provide verification of the source of the data, the other is to provide encryption.

Does a Self-Signed Cert provide encryption? Yes.
Does a Certificate with a Domain Mismatch provide encryption? Yes.
Does a site with Mixed-Content provide encryption? Partially.

Does a Self Signed Cert provide site verification? No.
Does a Certificate with a Domain Mismatch provide site verification? No.
Does a site with Mixed-Content provide site verification? Partially.

So Yes + No = In-Your-Face Error
Yet, Partially + Partially = Tiny Little Error in the Corner

I would say that Mixed-Content is more dangerous than both a Self-Signed Cert and a Domain Mismatch, yet they’ve been treated as more serious issues. I’m don’t understand that logic, and I’m not sure that I ever will.

kingthorin pointed us to https://financialcryptography.com
Checking out the site reminded me how cool some of Chrome’s SSL related info was when visiting an epic SSLfail site.

I came across a useful tool on a Dutch Hosting Site: Networking4all SSL Site Check Tool


Try it out
http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=www.cibc.com

I know that we’ve been quiet lately, both here and on our personal blogs. I know, for myself, the last few months have been rather hectic and now that things are starting to quiet down a bit, I’ll finally have time to research, post and play.

In the mean time I wanted to discuss something rather exciting, we submitted a SSLFail.com Panel to SecTor and it has been accepted.  The details of the panel are still being discussed but it will prove to be a rather fun and informative session.

This will be the 3rd annual SecTor conference and I’ve attended both previous conferences, it is a really great time and I hope to see lots of our readers in the audience and taking part as we’re hoping for lots of audience participation.

Thanks to Mike A.

Thanks to Jim Manico.

Thanks to Mike A.

Just a quick post to share that pdp has released a Python SSL proxy. I haven’t had a chance to play with it yet but it definitely looks promising, so I figured I’d share it with everyone.

Update: A lot of people don’t like the idea of people issuing their own CA Certs… I saw some humour in a SSLFail CA cert that wasn’t shared. I also see no reason why SSL Certs should be as over priced as they are (that deserves it’s own blog post), so I won’t pay for one for a blog. So… Install the CA cert at your own risk.

So there have been some comments about SSLFail not having an SSL version. I’ve fixed this today and you can now access SSLFail via https://www.sslfail.com. The CA is SSLFail so by defaut you’ll get an error (in Firefox the message will read: ‘The certificate is not trusted because the issuer certificate is unknown.’ ). The SSLFail certificate is available for download, should you wish to install it.

Should anyone want a cert signed by SSLFail, I’m more than willing to do so… simply email — treguly (at) sslfail (dot) com.

I really wish I’d be at ShmooCon for this, but getting news of it is more than enough.  I had first mentioned the Middler when I attended Jay’s talk at SecTor. Following the presentation I had a chance to sit down and further discuss the tool with Jay and I was really excited that the release was coming “later that day”. Later that day turned into months without any word of an announcement, but that’s over now… the tool is out and it’s very exciting.

Instead of continuing to discuss it myself (I plan a long blog post once I’ve had time to play with the Middler), I’m going to point you to a post on NovaInfosecPortal.com which contains further details. The Middler can be downloaded from the InGuardians website here.