Proper response to web browser security warning (newbie)

92 views
Skip to first unread message

Michael

unread,
Oct 28, 2011, 10:06:44 AM10/28/11
to SANS Internet Storm Center / DShield
Hi,

I need some help in telling a friend what to do in response to an SSL
certificate warning from a web browser. I am very computer literate,
but basically a newbie when it comes to security. Here is what my
friend said:

"Quick question for you… I keep getting the following message when I
log into my Yahoo Sports account to check my fantasy football stats.
Here is what it says:


pclick.internal.yahoo.com:443 uses an invalid security certificate.

The certificate is only valid for click.yahoo.com

(Error code: ssl_error_bad_cert_domain)

This could be a problem with the server's configuration or it could be
someone trying to impersonate the server.
If you have connected to this server successfully in the past the
error may be temporary and you can try again later.

Any idea what this means? It doesn't happen on any other site. Just
this one."

What is the proper response to a browser warning like this? I've read
a little and am wondering if this is benign or a man-in-the-middle
attack. I basically "punted" on the issue (pardon the pun) and asked
him to check with Yahoo, but does anyone know what's going on here?
If one actually needs to install the Yahoo SSL security certificates
into Safari, whom do you have to contact?


Thanks for your help.

Michael


Zijyfe Duufop

unread,
Oct 28, 2011, 10:32:57 AM10/28/11
to iscds...@googlegroups.com
Ok. I'm not a security expert, but as far as I know, here's what's going on:

The good news is, you don't have to worry about installing ssl
cetificates-they come with the browser. (If they didn't, that would
defeat the point, because anyone could ask you to download a
certificate for, say, google.com, when it really is for a malicious
site. It's kind of complicated...)

From what it looks like, your friend got an email notifying him about
something, and telling him to click on a link for more information.
The link, fortunately, was secure, because the website was indeed
fake. My advice: have him type 'yahoo.com' into his address bar and
follow the links there, rather than following the link in the email.

If I have made an error, I wouldn't mind a bit of correction, but I
think that's about it.

Zijyfe Duufop.

> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>

Mason Pokladnik

unread,
Oct 28, 2011, 10:36:04 AM10/28/11
to iscds...@googlegroups.com
Michael,
The error is exactly as the message states.  When you create an SSL certificate, you give it a Subject Name which is intended to match the DNS entry at which that machine will be found.  In order for your browser to be happy with a certificate, it has to be a valid certificate chain (meaning it was signed by a certificate authority that your browser trusts including any intermediate certificates), the date has to be valid (there is a "not valid before date" and an "expiration date") and the name on the certificate must match the name of the server you are connecting to.  The bad cert domain error indicates, that your friend connected to a server over SSL with the name of pclick.internal.yahoo.com and the certificate that the server used to identify itself was issued for click.yahoo.com.  Since the names don't match, it generates an error.  It is most likely a configuration error on Yahoo's' side.  However, to be positive you would have to look at the server certificate.  

Josh Michaels

unread,
Oct 28, 2011, 10:36:12 AM10/28/11
to iscds...@googlegroups.com
-Reposting-
Michael,

Check out:

http://support.mozilla.com/en-US/kb/Secure%20Connection%20Failed

What it means is that the certificate does not match the site he is going to:

He's going to: pclick.internal.yahoo.com
But the server (yahoo) is giving a certificate for: click.yahoo.com

Alot of sites have this issue, where they buy a single cert, but then use it to secure multiple domains, which is not a good way to do it.

Josh

Zijyfe Duufop.

> "Quick question for you. I keep getting the following message when I

Valdis.K...@vt.edu

unread,
Oct 28, 2011, 11:42:54 AM10/28/11
to iscds...@googlegroups.com
On Fri, 28 Oct 2011 10:32:57 EDT, Zijyfe Duufop said:

> The good news is, you don't have to worry about installing ssl
> cetificates-they come with the browser. (If they didn't, that would
> defeat the point, because anyone could ask you to download a
> certificate for, say, google.com, when it really is for a malicious
> site. It's kind of complicated...)

The bad news is, you don't have to worry about installing SSL CA
certificates, they come with the browser. ;)

Seriously, your browser probably trusts like 600+ different certification
authorities - to issue certs for *anything*. So if some CA in Mozambique gets
pwned, and the miscreants issue themselves a cert for www.google.com, your
browser will believe it. (Yes, DigiNotar, I'm looking at you ;)

Zachary Hanna

unread,
Oct 28, 2011, 12:25:51 PM10/28/11
to iscds...@googlegroups.com
Can you get some further info from him, such as the IP he is getting for yahoo, and his source ip?
Also, the source of the page that is giving the warning would be helpful.
Email me off list
-zachary
Sent from my rotary phone...

----- Original Message -----
From: iscds...@googlegroups.com <iscds...@googlegroups.com>
To: SANS Internet Storm Center / DShield <iscds...@googlegroups.com>
Sent: Fri Oct 28 07:06:44 2011
Subject: [dshield] Proper response to web browser security warning (newbie)

Hi,

I need some help in telling a friend what to do in response to an SSL
certificate warning from a web browser. I am very computer literate,
but basically a newbie when it comes to security. Here is what my
friend said:

"Quick question for you… I keep getting the following message when I

Richard Damon

unread,
Oct 28, 2011, 11:45:06 AM10/28/11
to iscds...@googlegroups.com
On 10/28/11 10:32 AM, Zijyfe Duufop wrote:
> Ok. I'm not a security expert, but as far as I know, here's what's going on:
>
> The good news is, you don't have to worry about installing ssl
> cetificates-they come with the browser. (If they didn't, that would
> defeat the point, because anyone could ask you to download a
> certificate for, say, google.com, when it really is for a malicious
> site. It's kind of complicated...)
>
Not quite right, there is no way that your browser could possibly come
with all the needed SSL certs. What is does come preinstalled with is a
bunch of "trusted" certs for organizations what will sign SSL certs so
that the browser knows that it can trust it. There are also other
agencies that might sign certs, and to use certs signed by these
agencies, you will need to down load them and install them. There are
also "self signed" certs that the browser will give a warning that it is
unable to verify the identity of the sign, but if you allow it to go on,
as long as it was the real site you started at, you will now be talking
with encryption and protection from a later man in the middle attack.

The original error wasn't related to not being able to verify the cert,
but that it was to the wrong domain. The cert given said it was for
"click.yahoo.com", but the data was for a different domain
("pclick.internal.yahoo.com). This is very likely a coding/config issue
on the server, at it hasn't been given the right cert for the page, or,
given the nature of the url, the page is coming from the wrong place
(the "internal" in the url makes me think something wasn't moved from a
development server, or at least a link wasn't updated).

--
Richard Damon

Curt Purdy

unread,
Oct 28, 2011, 2:23:54 PM10/28/11
to iscds...@googlegroups.com
I think the important take-away here Valdis, is that newbie or not, you need not fear the browser message, as it is either occurring from a private CA, a temporary glitch in the cert, or a script-kiddie site, since any decent hacker would have a forged/stolen cert. The best recommendation I could give is to stay off windoze and definitely stay off IE (though I will admit 9 is a great improvement over prev vers).

But with the possibility of drive-by's hitting anybody anywhere running anything, I do all my browsing with FF running minimal extensions (can you say no-script) on a Ubuntu VM running on my Mac :) And eventhough being in infosec, I am a professional paranoid, I still sleep well at night.

Curt Purdy CISSP GSNA GSEC MCSE+I CCNA
info...@gmail.com
pu...@tecman.com

Ziots, Edward

unread,
Oct 28, 2011, 3:09:01 PM10/28/11
to iscds...@googlegroups.com

I have to agree, if I am browsing with IE, its defintely sandboxed, but also use FF on Windoze with no-script. ( But Also have FF sandboxed also)

 

Sincerely,

EZ

 

Edward E. Ziots

CISSP, Network +, Security +

Security Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

CISSP_logo

--

image001.jpg

Zijyfe Duufop

unread,
Oct 31, 2011, 8:55:29 AM10/31/11
to iscds...@googlegroups.com
Thank you all very much for correcting me.  As i said, I am not an expert, so this was a learning experience for me.  Hopefully, I will not make the same mistake(s) in the future.
image001.jpg

MJL

unread,
Oct 29, 2011, 3:19:12 PM10/29/11
to SANS Internet Storm Center / DShield
The best answer to your question would be to get more information
*before* visiting the web site. You could use a reputation service
such as Norton's "Norton Safe Web", wepawet, or anubis, to check the
site if it does not require a login. Norton Safe Web and some other
reputation services also can be integrated with web browsers to
automatically perform some of the analysis while browsing.

http://wepawet.iseclab.org/
http://anubis.iseclab.org/
http://safeweb.norton.com/

There is no single correct answer regarding the bad certificate - the
certificate errors need to be examined on a case-by-case basis. It
can be a misconfiguration on the web site, but to assume this would be
irresponsible - the whole purpose of the certificate authenticaiton is
to validate the web site, so these errors should not be ignored - the
initial response should be that the web site should not be accessed
until the reason for the certificate error is known.

Contacting the Yahoo webmaster and notifying Yahoo of the problem is a
good idea - they might already be aware of the problem, or they might
be thankful to find out of the misconfiguration or that their site is
being spoofed. I'd guess from the name that pclick.internal.yahoo.com
is probably not supposed to be publicly available, but that's just a
guess.

When I browse to https://pclick.internal.yahoo.com, I get a correct
valid certificate for pclick.internal.yahoo.com - maybe they fixed
it. All I can say is I don't get the same cert your friend got, which
is a bit suspicious, but something within that site might redirect to
click.yahoo.com. I cannot get any response from https://click.yahoo.com
but it appears to redirect to a yahoo.net IP.

Often these problems go away quickly - I often just kill the browser
and try again in a day or so and let someone else deal with it, but
reporting it to the web site owner is great if you have the time. Be
sure to include as many details as possible when reporting it so that
the can isolate the problem.

Hayes, Virgil

unread,
Oct 28, 2011, 3:35:54 PM10/28/11
to iscds...@googlegroups.com

Another decent tip for browsers (I prefer Firefox in private browsing mode) along with NoScript is KeyScrabmler. For every day Windows stuff I use them. Anything more rigorous I would certainly use Sandboxies or a Virtual Box image. Just contributing to the length of the emails. J

 

 

 

 

 

Regards,

 

Virgil Hayes, CISM, CRISC, PCI ISA

Corporate Information Security Manager

Collective Brands Incorporated

 

cid:image007.jpg@01CA79BC.7C9BD380

 

 

This message (including attachments) contain confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient you should delete this message. Any disclosure or distribution of this message, or taking of any action on it is strictly prohibited

Michael

unread,
Nov 3, 2011, 1:21:19 PM11/3/11
to SANS Internet Storm Center / DShield
Hi again,

I just wanted to make a few quick points:

(1) Thanks everyone for your help! It's always so interesting to me
how much a seemingly "simple" question can generate a lot of different
responses!

(2) I didn't think of this earlier, but probably should have
explicitly mentioned that my friend is using a Mac with Lion 10.7.2
installed. I don't think that makes much of a material difference in
this case, but...

(3) In considering this, I don't think most of you mentioned too much
about the DNS side of things. Isn't it fully possible to have a valid
certificate chain and still not be at the site where you think you
are? Should I be losing any sleep over this possibility?

(4) I apologize for the delayed update, and I know this is off topic,
but we just got electric power back after four days here in
Connecticut, USA after a freak early winter storm! I hope everyone is
staying warm and dry...the whole state is still about 45% out of
power!

Michael
Reply all
Reply to author
Forward
0 new messages