Site SSL Certificate Error

Discussion in 'privacy technology' started by JoeAverage, Oct 26, 2013.

Thread Status:
Not open for further replies.
  1. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Hi,

    First post, but being around here for sometime, learning a lot with you guys, really thanks.

    I have a doubt about my company webmail. Every time I log into the webmail, from home with my notebook, there is a SSL certificate error.

    I know that the site is not fake, but is there any possibility to my notebook be hacked by the company, to know what I have in the computer or my surfing habits? I`m worried of being spyed by them. And I don`t understand, if they want a secure site, why not make the certification valid?

    Sorry for my english and the noob question,

    Cheers
     
  2. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    it's just because they don't wanna pay for certificate validation. just to cut down the expenses, you know. generally speaking, nothing to worry about if you know that the site is legit.
     
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,428
    Could be a Man In The Middle attack. Just saying.
     
  4. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Thanks for the quick replies

    I thought of kinda MITMA, If I log to the webmail, write and send an email, is there a way that my company, or someone of the IT, wants to hack my notebook, is it possible?

    My note book security is

    Comodo Int.Security (AV/FW), MBAM (on demand), superantispyware pro (realtime).

    I am behind a router with firewall enabled. Ports are stealth.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    If you want to be sure that you're actually connecting to your company's website, you need to have the certificate. Get it from someone in IT via a secure channel, such as a new USB drive in person. Then install it in your browser.

    If you can't get the website certificate in person, you could create a GnuPG key pair, send the public key to someone in IT, and ask them to encrypt the website certificate to your key, and email it to you.

    There is a risk that your email to IT will get MitMed, however.
     
  6. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    When I try to access the website of our national postal-service I get a SSL-warning, because the certificate belongs to the Norwegian national postal service !

    Like imdb said :
    It's probably because they are to cheap to do certificate-management
    correctly - And that is just one of the things that makes Certificate-based security worthless !
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Thoughts...

    1) Webmail server is using a self-signed certificate
    2) Webmail server is using a purchased certificate that doesn't chain up to a root certificate that is approved and pre-installed by your browser/OS manufacturer.
    3) Webmail server is configured to require client devices to have/produce a company authorized client certificate.
    4) Your webmail traffic is being routed through a corporate MITM device that relies upon a special root certificate being installed on client devices. Assuming the company has full control over the webmail server they can monitor activity via the server though. Related Q: Is your traffic hitting the webmail server by way of the Internet or by way of a corporate VPN?

    The error message you are getting could shed some light on what is/isn't going on. Examining the server certificate from outside *and* inside your company network would shed some light on what is/isn't going on, assuming you know or can figure out how to interpret things. Asking an IT person at work to explain what is going on should help.

    Make an effort to understand the intentions and steps before allowing an employer to access/modify a personal device.
     
  8. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25

    Thanks for the replies.

    Answering the question, No, there is no corporate VPN. I access via Internet.

    I understand more now, and I prefer not to ask the IT guys about it, because I don`t know their intentions, and you know...

    but I have one more doubt: Is it possible to an adversary invade my notebook system while I'm log in the company webmail?

    If that is the case, I will formated the HD, install windows again and never access the webmail from my personal notebook again.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Well *theoretically* your company's webmail server could have been compromised and configured to expose you to malware which got past your defenses and actually infected your system and the certificate error you are seeing is somehow a consequence of that event. Did you notice any strange behavior or prompts to install something when you accessed the webmail server?

    HOWEVER, this certificate issue *might* be perfectly "normal" and expected and not related to malware.

    It is up to you, but absent some evidence to support the idea that your notebook really has been compromised by something (an AV scan might not be a bad idea at some point) you might consider holding off on that until you dig a bit deeper.

    This forum uses a self-signed certificate. I don't know if you are accessing it via httpS but you can try doing so (note LowWaterMark's comment below) and see how your browser reacts when it encounters such a certificate. Which browser BTW? Is that the type of message you see when you access your webmail server?

    There is also SSL Labs (https://www.ssllabs.com/ssltest/index.html) which you can use to perform an SSL server test. I suggest you check the "Do not show the results on the boards" option. This will give you some information about the webmail server. For example, if you run a test against this forum's server you will see a "Self-signed" remark next to the Issuer and a "Not trusted (path does not chain to a trusted anchor)" remark in the Certification Paths. If you don't understand something you could share *snippets* from the results... censoring anything that would identify your employer's server/domain... and maybe someone here can explain it or help you take another step in the right direction.
     
    Last edited: Oct 27, 2013
  10. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Ok, thanks a lot for the reply.

    When I open wilders, theres no SSL certifiCate, its HTTP only.

    I`m using comodo dragon, I have scanned with comodo AV, MBAM and found nothing.

    Maybe I`m a little bit paranoid...:D

    Thanks anyway, very helpfull information here

    Cheers
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Please note that all local forum links are automatically converted to whatever method the person reading the thread is using at the time. If you browse this site via http then all links back to this site show as http. If you use https, then all links will show as https. I configured the software this way to guarantee that people never changed unexpectedly between http and https connections. It's for their protection really. If they are using an http proxy to access here and unexpectedly are linked to other forum pages or imbedded IMG tags that are https, and their proxy doesn't handle https, it could reveal their real IP address. Likewise, if someone is using an unsecure network somewhere and accessing here via https to keep their credentials private, and they hit a link or IMG tag someone included in a post that is http, then their data is exposed on that unencrypted port.

    So, in order to get someone into one access method or the other, you must tell them to either add the s or remove it. The only link on the forum that is an exception to this automatic changing is the SSL link in the lower right navigation bar next to the Contact Us link. That SSL link always shows as https regardless of how someone is accessing the forum.

    Many sites don't consider this issue. If a site allows both http and https access, then links members post almost always stay literal to what they posted, causing people moving through the forum to change access modes frequently.
     
  12. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25

    Ok, your link does not have the "s" of the https...but I included it and the certification error was there.


    Edit: I just read LowWaterMark post
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Thank you for catching/clarifying that LowWaterMark, apologies for not knowing that JoeAverage. At least you finally saw what type of message you get. Hopefully that was helpful in some way.
     
  14. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Thanks a lot, TheWindBringeth, you were very helpfull.

    I understand it better now.

    Cheers
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Another simple thing to do, at least for me: Open your browser and go to your company website. Then click on the browser "padlock" and view the certificate. fyi - I use FF. You should be able to see the "fingerprint" displayed. Its a really long number and one that cannot be manipulated by a MITM attack. Once you know your company's fingerprint you can then compare the fingerprint from the browser for a match. NO ONE can fake a perfect fingerprint match at this time. FF has addons that will automatically compare the fingerprint every time you connect. Again, no MITM can spoof a match to that degree. Can't be done.

    Hopefully you know how to confirm what your company's cert fingerprint is.

    Example from here:

    Wilder's Fingerprint

    B6 6C B2 E9 9B 88 3F 01 D4 F7 6F 50 46 68 A0 E5 B0 04 FE E4
     
  16. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25

    I'll do that, Palancar, thanks a lot for the sugestion :thumb:

    Cheers
     
Loading...
Thread Status:
Not open for further replies.