Security Basics
Fake Security Certificate Jul 04 2014 06:15AM
Muhammad Saqib (devj nullj gmail com) (2 replies)
Re: Fake Security Certificate Jul 04 2014 05:23PM
Security Admin (security planetkips nl)
RE: Fake Security Certificate Jul 04 2014 03:37PM
Dennis E. Hamilton (dennis hamilton acm org) (1 replies)
Re: Fake Security Certificate Jul 08 2014 07:51AM
Muhammad Saqib (devj nullj gmail com)
Thanks all for your replies and helpful advice. Definitely, my office
email is no more private and your advice would help me deal with the
situation.

Regards

On Fri, Jul 4, 2014 at 8:37 PM, Dennis E. Hamilton
<dennis.hamilton (at) acm (dot) org [email concealed]> wrote:
> This will depend on your local law. In the United States, for example, employer-provided e-mail is under the control of the employer. Although there has been movement to have employers disclose exactly what the privacy and security arrangements are, I do not know how well that is practiced in any legal jurisdiction.
>
> My best advice is (1) do not use that password for anything else, and (2) don't use the office email for personal and especially private matters.
>
> Next, find a polite way to determine whether the redirection is a matter of business policy and is known to the management. That is, the system administrator has the authority to do this and the practice is known. I would be careful and not assume automatically that this is unauthorized. But it does have security implications for the company.
>
> A place to start might be to raise your concern about the certificate discrepancy at the redirected site. It is not necessarily "fake," just not done properly. Browser messages tend to be over-reaching, but the warning of a possible hazard should be of concern.
>
>
> -- Dennis E. Hamilton
> dennis.hamilton (at) acm (dot) org [email concealed] +1-206-779-9430
> https://keybase.io/orcmid PGP F96E 89FF D456 628A
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Muhammad Saqib
> Sent: Thursday, July 3, 2014 23:15
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Fake Security Certificate
>
> Hello All
>
> I am in a little bit of fix relating to security of my office email
> and thought to seek advice of community here.
>
> I work in a small company and our office email is hosted on Google. A
> few days ago, I tried to change the password of my email and instead
> of opening the usual Google page for password change, it redirected me
> to passwordchange.mycompanydomain.com and my browser told me that the
> security certificate of this webpage cannot be trusted. nslookup
> passwordchange.mycompanydomain.com revealed that this webpage is
> indeed hosted by the server managed by our system administrator.
> Obviously, the password change link in the Google mail has been
> redirected to this webpage by our system administrator who is also
> responsible for managing and hosting of office email on Google and has
> the rights to edit such information.
>
> I would like to ask:
>
> 1. Is this something which I should ignore and continue with my email
> as earlier?
>
> 2. One possible reason for system administrator to do this could be
> enabling single sign on service for the users i.e. same password for
> email and the domain log on on office computers. By collecting the
> password from the email, the system admin can save the same password
> for domain log on. However, is this excuse good enough to allow for
> such practice?
>
> 3. Even if it is being used for single sign on, isn't there any way
> that an application using a trusted certificate can be used for this
> purpose?
>
> I would greatly appreciate your expert opinion on this.
>
>
> Regards
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus