[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SSL certificate checker plugin for Firefox?



Matej Kovacic (02.01.2009 19:39):
> Hi,
> 
>> That's what it is supposed to say until you give it a name.  The
>> assumption is that you use out of band methods to authenticate the cert
>> is correctly assigned.  And then you type whatever nickname you want to
>> give it into the petname field.  Should the slo-tech.com cert change,
>> you'll receive a red box instead of green.  
> 
> Excatly that is the problem - I cannot change "unauthenticated" to any
> other string (on this site only, on PayPal I can do that).

"Unauthenticated" reading in Petname tool on a HTTPS site means that not
all webpage contents were transmitted over SSL, e.g. contents is
security-mixed. Consider a scenario with secure site transmitting user
login credentials with help of some javascript code sent over plain
HTTP. If Mellory substitutes this unauthenticated javascript code, your
login information could be compromised. In this case there is no
practical difference would you use Petname tool or not, because not all
webpage objects are safe in the first place.

Usually such "mixed contents" situations originate from ad banners or
some similar things. You may scrub it with Adblock Firefox extention.
When there will left no HTTP-transmitted objects on HTTPS page anymore,
Petname tool will work as expected.

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com

Attachment: signature.asc
Description: OpenPGP digital signature