http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-06-26 07:48:52 - .SSLFail. : Jay posted on this previously and we had a brief discussion surroundingit in the comments, but I wanted to bring this up again because I’mreally not a fan of it, and I wanted to make sure people are payingattention Oh yeah and discuss, discuss, discuss — let’s have somechatter I http://www.secuobs.com/revue/news/113970.shtmlhttp://www.secuobs.com/revue/news/113970.shtml Secuobs.com : 2009-06-04 17:42:08 - .SSLFail. - I came across a useful tool on a Dutch Hosting Site: Networking4all SSLSite Check Tool Try it outhttp://wwwnetworking4allcom/en/support/tools/site+check/report/fqdn=wwwcibccomhttp://www.secuobs.com/revue/news/105851.shtmlhttp://www.secuobs.com/revue/news/105851.shtml Secuobs.com : 2009-04-21 07:20:51 - .SSLFail. - Thanks to Mike Ahttp://www.secuobs.com/revue/news/85929.shtmlhttp://www.secuobs.com/revue/news/85929.shtml Secuobs.com : 2009-04-21 04:17:02 - .SSLFail. - Thanks to Jim Manicohttp://www.secuobs.com/revue/news/85888.shtmlhttp://www.secuobs.com/revue/news/85888.shtml Secuobs.com : 2009-02-09 07:28:27 - .SSLFail. - I really wish I’d be at ShmooCon for this, but getting news of it is morethan enough I had first mentioned the Middler when I attended Jay’stalk at SecTor Following the presentation I had a chance to sit downand further discuss the tool with Jay and I was really excited thatthe http://www.secuobs.com/revue/news/59793.shtmlhttp://www.secuobs.com/revue/news/59793.shtml Secuobs.com : 2009-02-08 06:46:49 - .SSLFail. - This SSL Packet Trace is based on the Server View found here My goal isto add useful hash information to the packet dump which in itsoriginal form only contained the state register values These are thestarting values for your MD5 and SHA-1 Hash Objects State = uselessHash = digest of all handshake data seen http://www.secuobs.com/revue/news/59639.shtmlhttp://www.secuobs.com/revue/news/59639.shtml Secuobs.com : 2009-02-06 07:05:45 - .SSLFail. - Royal Pingdom has a post up mention that Netcraft has announced there arenow one million sites that are using SSL That’s valid certs, trustedby a third party, not expired and where the common name matches thehostname That’s a far cry from the 3293 found in Netcrafts first SSLsurvey Does this survey catch http://www.secuobs.com/revue/news/59135.shtmlhttp://www.secuobs.com/revue/news/59135.shtml Secuobs.com : 2009-01-28 00:48:48 - .SSLFail. - http://www.secuobs.com/revue/news/55742.shtmlhttp://www.secuobs.com/revue/news/55742.shtml Secuobs.com : 2009-01-27 20:00:32 - .SSLFail. - We just recieved a link to our own site It would appear that someone waslooking and discovered that we don’t have a SSL Enabled site This isvery true, but we’re not a large company with tons of visitors infact we’re still at less than 1000 unique visitors and we’re notasking you http://www.secuobs.com/revue/news/55657.shtmlhttp://www.secuobs.com/revue/news/55657.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - http://www.secuobs.com/revue/news/54270.shtmlhttp://www.secuobs.com/revue/news/54270.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - http://www.secuobs.com/revue/news/54269.shtmlhttp://www.secuobs.com/revue/news/54269.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - http://www.secuobs.com/revue/news/54268.shtmlhttp://www.secuobs.com/revue/news/54268.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - This is Part 1 of a series of posts about Netscape’s SSLv3 spec Whenworking on my first SSL Client I went looking for the official RFC tocorrectly implement the SSLv3 protocol Near total FAIL The SSLv3protocol was created by Netscape back in 1995 The file that mostpeople continue to reference is:http://wwwnetscapecom/eng/ssl3/draft302txt Which is tragicallyhttp://www.secuobs.com/revue/news/54267.shtmlhttp://www.secuobs.com/revue/news/54267.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - Since the site went live and our first ssl_error_bad_cert_domain errornote: I will be using the Firefox error message to identify most ofthese errors was posted, we’ve been receiving emails, comments andIMs regarding this SSL error and why it isn’t a security issue, andhow we shouldn’t be posting them There may be http://www.secuobs.com/revue/news/54266.shtmlhttp://www.secuobs.com/revue/news/54266.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - Given my last post on ssl_error_bad_cert_domain error you probablywouldn’t expect me to post another one so soon, but I thought thatthis really demonstrated my point Mike Murray posted to twitterearlier today that something was up with their SSL and asked ifperhaps it was a compromise of sorts Tonight he sent us http://www.secuobs.com/revue/news/54265.shtmlhttp://www.secuobs.com/revue/news/54265.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - http://www.secuobs.com/revue/news/54264.shtmlhttp://www.secuobs.com/revue/news/54264.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - Update: apparently Romain and I posted the same image, so I've removedthe image from my comment We recently had a link submitted ThanksJirka that I think is a great example of betraying user trust in theSSL Realm The link in question belongs to Microsoft and links to noneother than their phishing filter http://www.secuobs.com/revue/news/54263.shtmlhttp://www.secuobs.com/revue/news/54263.shtml Secuobs.com : 2009-01-22 23:14:06 - .SSLFail. - Welcome to SSLFail Lately there seems to be a lot of SSL discussion, andnot just the recently released ‘Rogue CA‘ presentation There havebeen speakers at several cons, blog posts, and conversations latelyaround the subject of SSL Marcin and I were discussing some of therecent failures that we’ve seen and that others have mentioned http://www.secuobs.com/revue/news/54262.shtmlhttp://www.secuobs.com/revue/news/54262.shtml http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-07-24 18:00:40 - . SSLFail . : This one came in via email from Philippe You d think that a company with the page title SSL Certificates from a Leading SSL Certificate Authority could do a little better http://www.secuobs.com/revue/news/243584.shtmlhttp://www.secuobs.com/revue/news/243584.shtml Secuobs.com : 2010-05-27 23:53:35 - . SSLFail . - Michael submitted this SSL fail to us from the ICICI Bank Canada website Another interesting thing about this website is that with javascript blocked, the default page won t even load because they use a javascript redirect to send you to the main page I suppose setting the DefaultDocuments directive or rather the IIS equivalent is http://www.secuobs.com/revue/news/226445.shtmlhttp://www.secuobs.com/revue/news/226445.shtml Secuobs.com : 2009-10-13 04:24:23 - . SSLFail . - SANS ISC is reporting that people are receiving spam indicating that a server upgrade is occurring and people will need to manually update their SSL certificates As if there weren t already enough problems with SSL I have to say, this is interesting and if anyone has any examples of the message with mail headers or a http://www.secuobs.com/revue/news/149842.shtmlhttp://www.secuobs.com/revue/news/149842.shtml Secuobs.com : 2009-10-11 21:56:21 - . SSLFail . - Anyone who tried to access SSLFailcom late last night or this morning would have noticed that it was down I apparently caused my own server outage with python Here s how it happened When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it I just http://www.secuobs.com/revue/news/149463.shtmlhttp://www.secuobs.com/revue/news/149463.shtml Secuobs.com : 2009-10-09 03:30:10 - . SSLFail . - I just wanted to point to an awesome article from Kelly Jackson Higgins on DarkReading I can call it awesome because it s about the SSLFail panel at SecTOR and includes quite a bit of the information we shared with attendees, so for anyone not at SecTOR and not wanting to look at the raw data http://www.secuobs.com/revue/news/148831.shtmlhttp://www.secuobs.com/revue/news/148831.shtml Secuobs.com : 2009-10-08 22:50:00 - . SSLFail . - I want to call the SSLFailcom panel at SecTOR a great success We had a great time up there and if the audience participating was any indication and it seems to be then then it was a good time for everyone We ended up talking so long that we were kicked out of the room http://www.secuobs.com/revue/news/148763.shtmlhttp://www.secuobs.com/revue/news/148763.shtml Secuobs.com : 2009-10-01 10:39:14 - . SSLFail . - I ve been a huge fan of SecTor since the first year it ran and have been fairly vocal about people attending This year there s an extra special reason to attend though, a couple of SSLFailcom bloggers will be doing a panel, we may even have a special guest join us You ll have to attend the http://www.secuobs.com/revue/news/146370.shtmlhttp://www.secuobs.com/revue/news/146370.shtml Secuobs.com : 2009-07-22 11:14:06 - . SSLFail . - A while back we posted a screenshot of the Rogers Webmail SSLFail I decided to follow-up with Rogers to see if they were going to resolve the issue anytime soon I contacted Rogers and asked if they were going to fix the issue, a couple of days later July 11th I received a canned response http://www.secuobs.com/revue/news/123448.shtmlhttp://www.secuobs.com/revue/news/123448.shtml Secuobs.com : 2009-07-11 19:45:56 - . SSLFail . - We had an interesting screen shot sent in today from Sheldon his post on the subject It appears as though the SSL certificate on LinkedIn expired today and they waited until after the expiration to update their cert, leaving people with SSL errors temporarily This doesn t seem like a great way to foster user trust, http://www.secuobs.com/revue/news/119317.shtmlhttp://www.secuobs.com/revue/news/119317.shtml