PDA

View Full Version : Need Advice Re:(Compromised SSL Certificate pop up warning before login 2 Secure Nym)

Hendry
September 19th, 2009, 07:40 AM
Recently when I went to the Securenym webmail page a warning popped up it said


"A potentially compromised SSL certificate has been detected

Access to the following URL may not be secure:

https://www.securenym.net/mail/src/login.php

This server certificate has been signed using the MD5 algorithm. It is recommended that you do not exchange sensitive data with this website.
Display Name
www.securenym.net

Certificate fingerprint
19AB5FACB9CE10AAA34C9358B3F851405B03EE90

SSL Blacklist 4.0
Copyright© 2008 CodeFromthe70s.org "




What does this mean? This is the first time such a warning came up on the site? I just got Xerobank VPN not sure it that has anything to do with it?





Any help is greatly appreciated



Thanks in advance

Hendry
Countermail
September 19th, 2009, 01:33 PM
It's because they have a weak SSL certificate (using MD5) and you have FireFox with the extension "SSL Blacklist" installed. SSL Blacklist is a really good extension, and the warning is correct.

Background: http://www.win.tue.nl/hashclash/rogue-ca/
Hendry
September 19th, 2009, 11:08 PM
{QUOTE-> It's because they have a weak SSL certificate (using MD5) and you have FireFox with the extension "SSL Blacklist" installed. SSL Blacklist is a really good extension, and the warning is correct.

Background: http://www.win.tue.nl/hashclash/rogue-ca/ <-QUOTE}

Thanks for the reply Counternail


So this means that SecureNym email is ............Insecure lol That's not good
ohda
October 6th, 2009, 02:53 PM
This is just wrong. SecureNym's SSL certs are dual signed, with SHA1 as the primary and MD5 the secondary. The SSL Blacklist plugin fails to recognize this.

Don't believe it? CLick on the padlock icon in your browser, then 'view certificate'. BOTH fingerprints are right there, and the SHA1 is the primary.
Countermail
October 6th, 2009, 03:16 PM
{QUOTE-> This is just wrong. SecureNym's SSL certs are dual signed, with SHA1 as the primary and MD5 the secondary. The SSL Blacklist plugin fails to recognize this.

Don't believe it? CLick on the padlock icon in your browser, then 'view certificate'. BOTH fingerprints are right there, and the SHA1 is the primary. <-QUOTE}

No it's MD5, PKCS#1 MD5 with RSA, you should look at the Signature algorithm.