The good news is, you don't have to worry about installing ssl
cetificates-they come with the browser. (If they didn't, that would
defeat the point, because anyone could ask you to download a
certificate for, say, google.com, when it really is for a malicious
site. It's kind of complicated...)
From what it looks like, your friend got an email notifying him about
something, and telling him to click on a link for more information.
The link, fortunately, was secure, because the website was indeed
fake. My advice: have him type 'yahoo.com' into his address bar and
follow the links there, rather than following the link in the email.
If I have made an error, I wouldn't mind a bit of correction, but I
think that's about it.
Zijyfe Duufop.
> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>
Check out:
http://support.mozilla.com/en-US/kb/Secure%20Connection%20Failed
What it means is that the certificate does not match the site he is going to:
He's going to: pclick.internal.yahoo.com
But the server (yahoo) is giving a certificate for: click.yahoo.com
Alot of sites have this issue, where they buy a single cert, but then use it to secure multiple domains, which is not a good way to do it.
Josh
Zijyfe Duufop.
> "Quick question for you. I keep getting the following message when I
> The good news is, you don't have to worry about installing ssl
> cetificates-they come with the browser. (If they didn't, that would
> defeat the point, because anyone could ask you to download a
> certificate for, say, google.com, when it really is for a malicious
> site. It's kind of complicated...)
The bad news is, you don't have to worry about installing SSL CA
certificates, they come with the browser. ;)
Seriously, your browser probably trusts like 600+ different certification
authorities - to issue certs for *anything*. So if some CA in Mozambique gets
pwned, and the miscreants issue themselves a cert for www.google.com, your
browser will believe it. (Yes, DigiNotar, I'm looking at you ;)
The original error wasn't related to not being able to verify the cert,
but that it was to the wrong domain. The cert given said it was for
"click.yahoo.com", but the data was for a different domain
("pclick.internal.yahoo.com). This is very likely a coding/config issue
on the server, at it hasn't been given the right cert for the page, or,
given the nature of the url, the page is coming from the wrong place
(the "internal" in the url makes me think something wasn't moved from a
development server, or at least a link wasn't updated).
--
Richard Damon
I have to agree, if I am browsing with IE, its defintely sandboxed, but also use FF on Windoze with no-script. ( But Also have FF sandboxed also)
Sincerely,
EZ
Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Cell:401-639-3505
--
Another decent tip for browsers (I prefer Firefox in private browsing mode) along with NoScript is KeyScrabmler. For every day Windows stuff I use them. Anything more rigorous I would certainly use Sandboxies or a Virtual Box image. Just contributing to the length of the emails. J
Regards,
Virgil Hayes, CISM, CRISC, PCI ISA
Corporate Information Security Manager
Collective Brands Incorporated
This message (including attachments) contain confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient you should delete this message. Any disclosure or distribution of this message, or taking of any action on it is strictly prohibited