Site SSL Certificate Error

Hi,

First post, but being around here for sometime, learning a lot with you guys, really thanks.

I have a doubt about my company webmail. Every time I log into the webmail, from home with my notebook, there is a SSL certificate error.

I know that the site is not fake, but is there any possibility to my notebook be hacked by the company, to know what I have in the computer or my surfing habits? I`m worried of being spyed by them. And I don`t understand, if they want a secure site, why not make the certification valid?

Sorry for my english and the noob question,

Cheers

 

it's just because they don't wanna pay for certificate validation. just to cut down the expenses, you know. generally speaking, nothing to worry about if you know that the site is legit.

 

Could be a Man In The Middle attack. Just saying.

 

Thanks for the quick replies

I thought of kinda MITMA, If I log to the webmail, write and send an email, is there a way that my company, or someone of the IT, wants to hack my notebook, is it possible?

My note book security is

Comodo Int.Security (AV/FW), MBAM (on demand), superantispyware pro (realtime).

I am behind a router with firewall enabled. Ports are stealth.

 

If you want to be sure that you're actually connecting to your company's website, you need to have the certificate. Get it from someone in IT via a secure channel, such as a new USB drive in person. Then install it in your browser.

If you can't get the website certificate in person, you could create a GnuPG key pair, send the public key to someone in IT, and ask them to encrypt the website certificate to your key, and email it to you.

There is a risk that your email to IT will get MitMed, however.

 

When I try to access the website of our national postal-service I get a SSL-warning, because the certificate belongs to the Norwegian national postal service !

Like imdb said :
It's probably because they are to cheap to do certificate-management
correctly - And that is just one of the things that makes Certificate-based security worthless !

 

Thoughts...

1) Webmail server is using a self-signed certificate
2) Webmail server is using a purchased certificate that doesn't chain up to a root certificate that is approved and pre-installed by your browser/OS manufacturer.
3) Webmail server is configured to require client devices to have/produce a company authorized client certificate.
4) Your webmail traffic is being routed through a corporate MITM device that relies upon a special root certificate being installed on client devices. Assuming the company has full control over the webmail server they can monitor activity via the server though. Related Q: Is your traffic hitting the webmail server by way of the Internet or by way of a corporate VPN?

The error message you are getting could shed some light on what is/isn't going on. Examining the server certificate from outside *and* inside your company network would shed some light on what is/isn't going on, assuming you know or can figure out how to interpret things. Asking an IT person at work to explain what is going on should help.

Make an effort to understand the intentions and steps before allowing an employer to access/modify a personal device.

 

Thanks for the replies.

Answering the question, No, there is no corporate VPN. I access via Internet.

I understand more now, and I prefer not to ask the IT guys about it, because I don`t know their intentions, and you know...

but I have one more doubt: Is it possible to an adversary invade my notebook system while I'm log in the company webmail?

If that is the case, I will formated the HD, install windows again and never access the webmail from my personal notebook again.

 

Well *theoretically* your company's webmail server could have been compromised and configured to expose you to malware which got past your defenses and actually infected your system and the certificate error you are seeing is somehow a consequence of that event. Did you notice any strange behavior or prompts to install something when you accessed the webmail server?

HOWEVER, this certificate issue *might* be perfectly "normal" and expected and not related to malware.

It is up to you, but absent some evidence to support the idea that your notebook really has been compromised by something (an AV scan might not be a bad idea at some point) you might consider holding off on that until you dig a bit deeper.

This forum uses a self-signed certificate. I don't know if you are accessing it via httpS but you can try doing so (note LowWaterMark's comment below) and see how your browser reacts when it encounters such a certificate. Which browser BTW? Is that the type of message you see when you access your webmail server?

There is also SSL Labs (https://www.ssllabs.com/ssltest/index.html) which you can use to perform an SSL server test. I suggest you check the "Do not show the results on the boards" option. This will give you some information about the webmail server. For example, if you run a test against this forum's server you will see a "Self-signed" remark next to the Issuer and a "Not trusted (path does not chain to a trusted anchor)" remark in the Certification Paths. If you don't understand something you could share *snippets* from the results... censoring anything that would identify your employer's server/domain... and maybe someone here can explain it or help you take another step in the right direction.

 

Ok, thanks a lot for the reply.

When I open wilders, theres no SSL certifiCate, its HTTP only.

I`m using comodo dragon, I have scanned with comodo AV, MBAM and found nothing.

Maybe I`m a little bit paranoid...

Thanks anyway, very helpfull information here

Cheers

 

Ok, your link does not have the "s" of the https...but I included it and the certification error was there.


Edit: I just read LowWaterMark post

 

Thank you for catching/clarifying that LowWaterMark, apologies for not knowing that JoeAverage. At least you finally saw what type of message you get. Hopefully that was helpful in some way.

 

Thanks a lot, TheWindBringeth, you were very helpfull.

I understand it better now.

Cheers

 

Another simple thing to do, at least for me: Open your browser and go to your company website. Then click on the browser "padlock" and view the certificate. fyi - I use FF. You should be able to see the "fingerprint" displayed. Its a really long number and one that cannot be manipulated by a MITM attack. Once you know your company's fingerprint you can then compare the fingerprint from the browser for a match. NO ONE can fake a perfect fingerprint match at this time. FF has addons that will automatically compare the fingerprint every time you connect. Again, no MITM can spoof a match to that degree. Can't be done.

Hopefully you know how to confirm what your company's cert fingerprint is.

Example from here:

Wilder's Fingerprint

B6 6C B2 E9 9B 88 3F 01 D4 F7 6F 50 46 68 A0 E5 B0 04 FE E4

 

I'll do that, Palancar, thanks a lot for the sugestion

Cheers