Security Basics
Fake Security Certificate Jul 04 2014 06:15AM
Muhammad Saqib (devj nullj gmail com) (2 replies)
Re: Fake Security Certificate Jul 04 2014 05:23PM
Security Admin (security planetkips nl)
Actually, the one you should ask, is your helpdesk or sysadmin.

Op 4 jul. 2014, om 08:15 heeft Muhammad Saqib <devj.nullj (at) gmail (dot) com [email concealed]> het volgende geschreven:

> Hello All
>
> I am in a little bit of fix relating to security of my office email
> and thought to seek advice of community here.
>
> I work in a small company and our office email is hosted on Google. A
> few days ago, I tried to change the password of my email and instead
> of opening the usual Google page for password change, it redirected me
> to passwordchange.mycompanydomain.com and my browser told me that the
> security certificate of this webpage cannot be trusted. nslookup
> passwordchange.mycompanydomain.com revealed that this webpage is
> indeed hosted by the server managed by our system administrator.
> Obviously, the password change link in the Google mail has been
> redirected to this webpage by our system administrator who is also
> responsible for managing and hosting of office email on Google and has
> the rights to edit such information.
>
> I would like to ask:
>
> 1. Is this something which I should ignore and continue with my email
> as earlier?
>
> 2. One possible reason for system administrator to do this could be
> enabling single sign on service for the users i.e. same password for
> email and the domain log on on office computers. By collecting the
> password from the email, the system admin can save the same password
> for domain log on. However, is this excuse good enough to allow for
> such practice?
>
> 3. Even if it is being used for single sign on, isn't there any way
> that an application using a trusted certificate can be used for this
> purpose?
>
> I would greatly appreciate your expert opinion on this.
>
>
> Regards
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?v0?r0?Z 0
 *?H?÷
01 0 UNL10U Drenthe1
0 U Elim10U
Inekris10U Security10U
Inekris CA1%0# *?H?÷
 security (at) planetkips (dot) nl0 [email concealed]
140512135408Z
150512135408Z01 0 UNL10U Drenthe10U
Inekris10U
Administrator10
U jasper1%0# *?H?÷
 security (at) planetkips (dot) nl0 [email concealed]?"0
 *?H?÷
?0?
?ÆÜ@ûV?7¾g/æäA«H,Óãã"6Á­×±Î?ü³9`Üûæ?|ïaª &Èé?vÝó§xYÁÃWTeLnÞ°[
µÂ¡/8?=ã]?'X\¸<?¹HV;ãëÚZ?ÖÚÿ$¢Ê?·çþHÔ? l¾\`:¨Ñ??[Êçý­ÉÆ6g
KßzìA¾)MÎGpmÖWãE?FU¾ÍÑMþ?ö?^öª°TEÖ?4µ6x~ #°w×m.õ¬>? t?
? -VÇpVO¹ç¢±D¹6ô.?=Lõ4¯* §?B?`F0rVÃc ѶäØ ?Û ÒÈÆð))?_?­ùrìÊÓ\{&]»â,/Yÿ8?Oÿ?HEù?õR#EàSà/öUKT=_ø:¿ßÒÅÝ+Ù±´oÝ
kì^éæT?i§#?¨¿-?µãTZ°=2ÊPz,²2C9ØÈ?å1a¥t??rç?µ?âR¦<R²töÀËÛ?8==?
ìÃÿA¸3Æ@9h`?`Z'
±¸¨Þ gËÕç×?qR[.h±Ïz¨Ó?@??V¼O Z3ÐönÒ!\?űÎ+S]Înp ó¢Y¥*E7?aÎ?ò%3Çw´?§5?Ìmg?<{^A?ÿ¼?R?®¡<ÊD§
£ä0á0 U00 Uà0, `?H?øB
OpenSSL Generated Certificate0Uù; ÇvA_¡?9¨^Á"ý^ 0U#0?¼Ð¡ö§Yáé}LFüÁ!éÜ?0YUR0P0& $ "? http://inekris.xs4all.nl/crl.pem0& $ "? http://inekris.xs4all.nl/crl.crl0
 *?H?÷
??R? ?PFÒÙf£`©¢¦û6®<¿¿÷­»u3iӏ¦#¶·6?JÜàÁvßi?£
2ï?ë?qUú½Óë ø®ºãZ?7úÁ?Lëb³túb[¶Ç3+f?N>nFG¢Q¢OQM^mæ?d¬ÃíOùÅò6¼ßl?Ø?éh]*0K]ÕòæYÝ
ɝÃ(Ɛ¶ø?»'üx^Sªí"ï?/pÔY8YF±?Çø*?Û/Úà0,eå¼?_½? ?Fzá?6ñ{}-?6?pV_
xãæ¯?n¾Ù3yé??&¶áâø?³¡?Ëroû ßÂ`OB??-¼ëm`?+Â??¹FPO&¤©q?É?ØB?ì;Ujm
Í|'4¤?_§?Øü¡?íÔbnÞö<?£¢jxÊ>áT:r¥ß?±æê`"?îñ%?÷ZwnÖV^«¬¾/??ð£&Û
¡¹n­´G?áÐ9u«Ê"i¢=빿6N,?QmJ."Ó2?µ??^ÔKío??A?Ü)Ñ³zÏ_\W»Êe[?I
~ÒSæmT&q?Èxó?K-øÑYN0fã}¨nob?è"ki­£WHPÄUP`s®ïÍð!ÁV(~?âLý?°?[
?^B`ÓL5 6¶#§Ö©1?r0?n0?01 0 UNL10U Drenthe1
0 U Elim10U
Inekris10U Security10U
Inekris CA1%0# *?H?÷
 security (at) planetkips (dot) nl [email concealed]0 + ?±0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
140704172336Z0# *?H?÷
 1?£lC0H¬^.¤eÌ/Sÿ?µ¶0¦ +?71?0?01 0 UNL10U Drenthe1
0 U Elim10U
Inekris10U Security10U
Inekris CA1%0# *?H?÷
 security (at) planetkips (dot) nl [email concealed]0¨ *?H?÷
  1? ?01 0 UNL10U Drenthe1
0 U Elim10U
Inekris10U Security10U
Inekris CA1%0# *?H?÷
 security (at) planetkips (dot) nl [email concealed]0
 *?H?÷
?}Ç
ýä¯g?\Uø]÷ËH^
NÍ?]?<<Sh ýZ
ÉÅr¾DræFg¯¥:5þh?r¸öɶx¨Rk??&d¿«ÖÖÊ?g1U1*æáßXþ ?
?F*yá5oÌS??f¬x¥ËL ?dµa¿?x´~î>'Pí;=·?ßE»~?!?®ÏÀq?äÜ3-
>w?gݼ??ú?eYØÕ`c¿mh4Çf
U!îQß!ÍÇ©í¼/@Mª^XæJ=ÅtØ?B×LR?Õ?RÃâS;±JôTU ?5^îäxa¢ëëHj?JVÔY
r?^JÞ§¼B7¿>]¾D­¶?HºâÌc?ô?äºÆuñ+4¶?¦_}?móÚ¢-ûü?uîn8ûs¹|í¿Ú£È3»ý@«
"IG?l7âQ1Խп??ù?hïò
³îÉ?}¥E¤?Á9Wà??L?1+^?He[®­Î<??=?nÄIÊA¢ÖQ&XÑ?
ØþZãúü??Lp×?zM?Â;%ÉS?õ??n
1ã9ùj?ôá<Æ0uª?T?cÀ{ESâoÏ;â#ré+ZУ¶ c
Ù´®ÛÀ?{ù>«[ocÈÔ(¹5Ý «MÂÜÿ#Þú2ؤ

[ reply ]
RE: Fake Security Certificate Jul 04 2014 03:37PM
Dennis E. Hamilton (dennis hamilton acm org) (1 replies)
Re: Fake Security Certificate Jul 08 2014 07:51AM
Muhammad Saqib (devj nullj gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus