unintended?

ian.farquhar at rsa.com ian.farquhar at rsa.com
Sun Nov 16 18:25:18 EST 2008


[Moderator's note: Top posting is considered untasteful. --Perry]

It doesn't need to be malicious.  It depends on the situation.

For example, lots of corporations do SSL session inspection using
products like Bluecoat.  The Bluecoat does a MiTM attack to expose the
plaintext for analysis, and expects that corporate users trust the
certificate it provides (and have pushed it out to all corporate
browsers).  If you've just loaded Firefox, it won't have that "trusted"
cert loaded by default, and you'll see exactly the below.

Ian. 

-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Chad Perrin
Sent: Saturday, November 15, 2008 8:29 AM
To: cryptography at metzdowd.com
Subject: Re: unintended?

On Fri, Nov 14, 2008 at 01:26:29PM +0000, bmanning at vacation.karoshi.com
wrote:
> (snicker)  from the local firefox
> ....
> 
> en-us.add-ons.mozilla.com:443 uses an invalid security certificate.
> 
> The certificate is not trusted because the issuer certificate is not
trusted.
> 
> (Error code: sec_error_untrusted_issuer)

What does Perspectives have to say?

What installation of Firefox did you use?

I don't have that problem when I visit:
  https://addons.mozilla.org/en-US/firefox/

Do you perhaps have some kind of malicious redirection going on there?

-- 
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
John Kenneth Galbraith: "If all else fails, immortality can always be
assured through spectacular error."

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list