General discussion split from NS Support about:config

[Tom T.]

...How can I add/remove items in noscript.clearClick.Exceptions? ... I know how to edit about:config tweaks but not the specific structure of the setting.

Leave a single blank space between each domain. No commas nor anything else. No end-of-string character is necessary. You can add/remove as many as you like in this manner.

Thanks, that's what I wanted to know!

You're quite welcome.

Weird coincidence, I have a former friend, on a well-known forum, who tracked IP addresses with an image (btw, for those interested, I dumped him as soon as I found out about his IP logging)... I was recently trying to get some "hard evidence" on his activity so he could be banned, but apparently that's going to be almost impossible/actually impossible to do...

If the site is interested, their logs should provide such evidence, shouldn't they? -- once you call it to their attention. The more details, the better (date range this occurred, the name or description of the image if you know it....)

I doubt the site admins could get him though, it looks like he's logging IP addresses as others' browsers fetch the image from his server (IIUC, browsers send the user's IP address to a server when they fetch an image from that server)

Correct. Which is how many web bugs work -- the page includes an "image" of 1x1 pixels, clear in color, called a "One-pixel clear gif" or whatever. Merely viewing the page causes your browser to retrieve the image, which is invisible to the user, and the image source receives the user's IP -- as any site, including this one, receives your IP when you access the site or any resource on it. (Else how do they know where to send the page?) This lets them know which pages were viewed by which IP user.

FWIW, I was demonstrating this to a friend, but instead of a clear gif, I made it bright red. On a screen of 1280x800, that single red pixel was almost invisible without a magnifying glass, and if you weren't looking for it, you'd never know it was there. This is *why* NS offers the "Forbid web bug" feature in Advanced > Untrusted.

- because he's got his own server, I don't think anyone could look at the source for that image-fetcher without breaking the law... and I doubt the site logs would help any, since they'd probably just show browsers fetching the image from my "friend"'s site... what a headache.

If you pointed out what you and the other Good Friend know, couldn't they remove the image from his page, even without proof? Send them a notarized affidavit or something?

DK if you actually want to go this far, but it might be a violation of law, so if the police or FBI wanted to bother (probably not, with much worse things happening), they could get a subpoena and/or search warrant and bust him. But it seems like awfully low priority, unless he's using the info for some kind of scam, in which case, it should be a definite priority for the FBI.

What exactly *does* he do with all of these IP addresses that he collects, anyway?
If he's not monetizing them somehow, then he has an awfully pathetic "life", eh?

Kudos for dumping a "friend" with such poor ethics.

Thanks!
IMHO, the only thing to learn from this guy is what not to do...

Absolutely. I see you're a sw dev. Wish they all had your ethics.

Cheers.

[computerfreaker]

I doubt the site admins could get him though, it looks like he's logging IP addresses as others' browsers fetch the image from his server (IIUC, browsers send the user's IP address to a server when they fetch an image from that server)

Correct. Which is how many web bugs work -- the page includes an "image" of 1x1 pixels, clear in color, called a "One-pixel clear gif" or whatever. Merely viewing the page causes your browser to retrieve the image, which is invisible to the user, and the image source receives the user's IP -- as any site, including this one, receives your IP when you access the site or any resource on it. (Else how do they know where to send the page?) This lets them know which pages were viewed by which IP user.

FWIW, I was demonstrating this to a friend, but instead of a clear gif, I made it bright red. On a screen of 1280x800, that single red pixel was almost invisible without a magnifying glass, and if you weren't looking for it, you'd never know it was there. This is *why* NS offers the "Forbid web bug" feature in Advanced > Untrusted.

Well, this guy's picture is absolutely huge - it's a "normal" picture in every way, and I wouldn't know it was a web bug unless my good friend had told me. No wonder the site admins haven't gotten him...

because he's got his own server, I don't think anyone could look at the source for that image-fetcher without breaking the law... and I doubt the site logs would help any, since they'd probably just show browsers fetching the image from my "friend"'s site... what a headache.

If you pointed out what you and the other Good Friend know, couldn't they remove the image from his page, even without proof? Send them a notarized affidavit or something?

The situation, unfortunately, is more complicated than that... my good friend was in the hospital last time I heard from him (over 2 months ago), and he may have passed away...
I don't have any proof myself, just what he told me... and I doubt he has any "hard" proof, just an e-mail conversation at best. An affidavit might get some sort of action, but it's questionable...

DK if you actually want to go this far, but it might be a violation of law, so if the police or FBI wanted to bother (probably not, with much worse things happening), they could get a subpoena and/or search warrant and bust him. But it seems like awfully low priority, unless he's using the info for some kind of scam, in which case, it should be a definite priority for the FBI.

I do not want to go this far... as I mentioned, I have no hard evidence... I don't have any evidence he did anything with the IP's, either.

What exactly *does* he do with all of these IP addresses that he collects, anyway?
If he's not monetizing them somehow, then he has an awfully pathetic "life", eh?

I have no idea what he does with the IP's. Some of them (including mine) are worthless to him, as they're dynamic IP's... and, AFAIK, he hasn't tried exploiting any of them.
I would guess this guy, like some others, just wants the feeling of power he can get by doing this... and yes, he has a very pathetic "life" if that's true.

Kudos for dumping a "friend" with such poor ethics.

Thanks!
IMHO, the only thing to learn from this guy is what not to do...

Absolutely. I see you're a sw dev. Wish they all had your ethics.

Cheers.

Thank you!

Cheers!

[Tom T.]

Well, this guy's picture is absolutely huge - it's a "normal" picture in every way, and I wouldn't know it was a web bug unless my good friend had told me. No wonder the site admins haven't gotten him...

Understood. I was just explaining how a "hidden" bug can be placed in, for example, an email to you (esp. a spam), so the sender knows if you've opened it. As soon as you open it, they get the hit. If not, not. Very useful to spammers who want to know which suckers open their messages. Or just anyone who wants to know if you've read the message.

For this reason, Yahoo! mail has an option (which I use, of course) to "block remote images" by default in all mail, unless and until you "click to allow" for that message. Very nice.

my good friend was in the hospital last time I heard from him (over 2 months ago), and he may have passed away...

Very sorry to hear that. My sympathy and condolences.

I don't have any proof myself, just what he told me... and I doubt he has any "hard" proof, just an e-mail conversation at best. An affidavit might get some sort of action, but it's questionable...

Agree. Nothing to go on.

I do not want to go this far... as I mentioned, I have no hard evidence... I don't have any evidence he did anything with the IP's, either.

Agree, no point in going to the law.

I would guess this guy, like some others, just wants the feeling of power he can get by doing this... and yes, he has a very pathetic "life" if that's true.

Yep. That *used* to be the motivation for a lot of "hackers" (script kiddies, twelve years old), before illicit hacking/cracking became a lucrative criminal enterprise, to steal credit card #s, botnet machines for DoS attacks and extort the victim, etc.

I see you're a sw dev. Wish they all had your ethics.

Thank you! :)Cheers!

You might find it interesting to know -- many people don't -- that NoScript dev Giorgio Maone is one of the world's best hackers, along with his good friend Sirdarckcat, who helps model threats for NS to meet, tries to find holes in NS, which he then reports privately to Giorgio, of course. This is one of the reasons why NS is so powerful, and why new threats are dealt with so rapidly. Let us all be thankful that these two world-class hackers are on our side!

[computerfreaker]

Well, this guy's picture is absolutely huge - it's a "normal" picture in every way, and I wouldn't know it was a web bug unless my good friend had told me. No wonder the site admins haven't gotten him...

Understood. I was just explaining how a "hidden" bug can be placed in, for example, an email to you (esp. a spam), so the sender knows if you've opened it. As soon as you open it, they get the hit. If not, not. Very useful to spammers who want to know which suckers open their messages. Or just anyone who wants to know if you've read the message.

For this reason, Yahoo! mail has an option (which I use, of course) to "block remote images" by default in all mail, unless and until you "click to allow" for that message. Very nice.

I'll have to enable that setting in my own e-mail account... (side note, lately I've really had to lock down protections on FF, my e-mail account, my computer, etc... ignorance really is bliss until reality hits)

my good friend was in the hospital last time I heard from him (over 2 months ago), and he may have passed away...

Very sorry to hear that. My sympathy and condolences.

Thanks, hopefully he's OK and is just recuperating... triple bypass surgery is no picnic

I don't have any proof myself, just what he told me... and I doubt he has any "hard" proof, just an e-mail conversation at best. An affidavit might get some sort of action, but it's questionable...

Agree. Nothing to go on.

I do not want to go this far... as I mentioned, I have no hard evidence... I don't have any evidence he did anything with the IP's, either.

Agree, no point in going to the law.

I would guess this guy, like some others, just wants the feeling of power he can get by doing this... and yes, he has a very pathetic "life" if that's true.

Yep. That *used* to be the motivation for a lot of "hackers" (script kiddies, twelve years old), before illicit hacking/cracking became a lucrative criminal enterprise, to steal credit card #s, botnet machines for DoS attacks and extort the victim, etc.

Still can't figure out why some people find it enjoyable to do things like that...

I see you're a sw dev. Wish they all had your ethics.

Thank you! :)Cheers!

You might find it interesting to know -- many people don't -- that NoScript dev Giorgio Maone is one of the world's best hackers, along with his good friend Sirdarckcat, who helps model threats for NS to meet, tries to find holes in NS, which he then reports privately to Giorgio, of course. This is one of the reasons why NS is so powerful, and why new threats are dealt with so rapidly. Let us all be thankful that these two world-class hackers are on our side!

Wow, I didn't know that... that is really cool!
Yep, I'm very glad these two uber-geeks (hope nobody takes offense; where I live, calling someone an uber-geek is the highest compliment) are on our side...

[Tom T.]

For this reason, Yahoo! mail has an option (which I use, of course) to "block remote images" by default in all mail, unless and until you "click to allow" for that message. Very nice.

I'll have to enable that setting in my own e-mail account... (side note, lately I've really had to lock down protections on FF, my e-mail account, my computer, etc... ignorance really is bliss until reality hits)

The Internet has become a sewer. Sad, but true. And the trend is going in the wrong direction.

All we can do is the same as if you lived in a high-crime neighborhood: Lock down everything as tightly as you can, and be very choosy about whom you let in the door, and with what. Use NoScript in 100%-lockdown mode, which is pretty much the default. Just add your secure sites to the "Force HTTPS cookies and behavior" in Advanced.

Also, send and receive e-mail in plain text only. Encourage your friends to send you only plain-text email, not HTML-enriched ("rich text" or "text and graphics").
I got very mad at an online bank for sending me an HTML-enriched email. They brushed off my complaint. Banks are the most ignorant of security. Go figure.

I would guess this guy, like some others, just wants the feeling of power he can get by doing this... and yes, he has a very pathetic "life" if that's true.

Yep. That *used* to be the motivation for a lot of "hackers" (script kiddies, twelve years old), before illicit hacking/cracking became a lucrative criminal enterprise, to steal credit card #s, botnet machines for DoS attacks and extort the victim, etc.

Still can't figure out why some people find it enjoyable to do things like that...

Typically, they're losers who have no feeling of power or control over their own lives, nor any feeling of accomplishment. So they get these feelings of power, control, and accomplishment by their Internet "Aha! Gotcha!" tricks. Of course, they could put the same energy into something useful... Or they're angry at the world for whatever reason. About the same level as spray-painting graffiti, throwing eggs at houses, or ringing the doorbell and running away. They may be adult-aged, but still juvenile in development. Sad, really.

Yep, I'm very glad these two uber-geeks (hope nobody takes offense; where I live, calling someone an uber-geek is the highest compliment) are on our side...

You'll note that in the "smilies", we have "geek" and "uber-geek". (the ones with glasses). You're in the right place to compliment someone by calling them an uber-geek!

[computerfreaker]

For this reason, Yahoo! mail has an option (which I use, of course) to "block remote images" by default in all mail, unless and until you "click to allow" for that message. Very nice.

I'll have to enable that setting in my own e-mail account... (side note, lately I've really had to lock down protections on FF, my e-mail account, my computer, etc... ignorance really is bliss until reality hits)

The Internet has become a sewer. Sad, but true. And the trend is going in the wrong direction.

All we can do is the same as if you lived in a high-crime neighborhood: Lock down everything as tightly as you can, and be very choosy about whom you let in the door, and with what. Use NoScript in 100%-lockdown mode, which is pretty much the default. Just add your secure sites to the "Force HTTPS cookies and behavior" in Advanced.

yep, NoScript is always in 100%-lockdown mode... when I allow a site, it's begrudgingly done and only if I'm certain it's a trustworthy site; generally, it's a temporary-allow only. I can count on one hand the number of permanently-allowed sites I have...
Just wondering, is there a way to force sites to work with HTTPS cookies and behavior? (yes, I've read the NoScript FAQ, especially the questions about this... but my school sites don't use HTTPS cookies - I've already notified the principal, but I don't want to wait and see if somebody gets pwned...)

Also, send and receive e-mail in plain text only. Encourage your friends to send you only plain-text email, not HTML-enriched ("rich text" or "text and graphics").
I got very mad at an online bank for sending me an HTML-enriched email. They brushed off my complaint. Banks are the most ignorant of security. Go figure.

Just turned off HTML-viewing in my e-mail account... works out pretty well anyway, 99% of the e-mail I get is plain-text...

I would guess this guy, like some others, just wants the feeling of power he can get by doing this... and yes, he has a very pathetic "life" if that's true.

Yep. That *used* to be the motivation for a lot of "hackers" (script kiddies, twelve years old), before illicit hacking/cracking became a lucrative criminal enterprise, to steal credit card #s, botnet machines for DoS attacks and extort the victim, etc.

Still can't figure out why some people find it enjoyable to do things like that...

Typically, they're losers who have no feeling of power or control over their own lives, nor any feeling of accomplishment. So they get these feelings of power, control, and accomplishment by their Internet "Aha! Gotcha!" tricks. Of course, they could put the same energy into something useful... Or they're angry at the world for whatever reason. About the same level as spray-painting graffiti, throwing eggs at houses, or ringing the doorbell and running away. They may be adult-aged, but still juvenile in development. Sad, really.

yes, it's sad... (especially since they could get more feelings of power, control, accomplishment, whatever by creating some useful software and releasing it... that's what I'm doing now, creating open-source software. Very satisfying to look back at a few hundred lines of code)
Especially sad is the way a lot of governments ignore the spam servers (Russia, China, other Asian countries... then the classic "Nigerian prince" scam)
EDIT: this is really pathetic. I was looking at one of RSnake's articles and noticed a comment where someone mentioned "zf05". I generally Google any acronym I don't know, so I Googled this one too... look what I found. hxxp://sucuri.net/mirror/zf05.txt
It doesn't get much sicker than this... (my content filter was absolutely screaming about this page, to boot)

Yep, I'm very glad these two uber-geeks (hope nobody takes offense; where I live, calling someone an uber-geek is the highest compliment) are on our side...

You'll note that in the "smilies", we have "geek" and "uber-geek". (the ones with glasses). You're in the right place to compliment someone by calling them an uber-geek!

Cool! I'd noticed those smilies but hadn't seen them used anywhere on here... rock on, fellow geeks & uber-geeks!

[Tom T.]

Just wondering, is there a way to force sites to work with HTTPS cookies and behavior? (yes, I've read the NoScript FAQ, especially the questions about this... but my school sites don't use HTTPS cookies - I've already notified the principal, but I don't want to wait and see if somebody gets pwned...)

You can't force an HTTPS connection if the server won't accept such requests. So if the school's site is unsecured, which it sounds like, you'd have to convince them to secure it, or at least to allow secure requests. Only after they will present or allow HTTPS connections can you use the Force Secure Cookies. Note the wording in the Secure Cookies tab:

Force encryption for all the cookies set over HTTPS...

Very few non-security people seem to know it, but some unsecured sites will accept a secure request. For example, consider http://update.microsoft.com. I've never seen or heard this fact anywhere else, but just by experimentation, I found that you can use, and bookmark, https://update.microsoft.com, and you will indeed get a secure connection, even with Firefox. To actually use the secure Update, you'd have to set Automatic Update to "notify only", use IE, and put that site in IE's trusted zone. When they warn you about "both secure and insecure material -- do you want to display the insecure?", you must say, "No", or they'll take you back to the insecure site. Saves their bandwidth and server time, etc.

You'll also get a browser warning of a name mismatch on the security certificate. I notified them of this a year or so ago. They said nothing, but fixed it a few months later. Not even a "thanks". Now, the mismatch error is back. Guess when they renewed the certificate, they made the same mistake. Can't teach an old dog new tricks.... That's one reason I get my MS updates manually with Fx instead of using Win Update. (ots of other reasons. Not being pushed to take IE 8, etc.)

(Script kiddies:)

yes, it's sad... (especially since they could get more feelings of power, control, accomplishment, whatever by creating some useful software and releasing it...

True, but the reason behind the derogatory nick "script kiddy" was that some of them had no programming skills at all, but just went to some warez site, copy/pasted a malicious code, emailed it out or sent it en masse over the Net, back when a lot of Win machines had ports open by default (before they turned on the firewall by default in 2004 with XP's SP2).

that's what I'm doing now, creating open-source software. Very satisfying to look back at a few hundred lines of code)

Cool. When it's ready, PM me. Love to see it.

I think Giorgio has a right to be proud of his 20,000 or so lines of open-source code in NoScript, don't you?

My own pet peeve is sw bloat. For a little anti-bloat project of my own, see http://home.earthlink.net/~tomt33/id1.html. NOTE: If you go there, you are leaving the NS forum. That is my own site and my own work, not in any way endorsed by this forum, NoScript, Informaction, Giorgio Maone, nor anyone else.

Especially sad is the way a lot of governments ignore the spam servers (Russia, China, other Asian countries... then the classic "Nigerian prince" scam)

There's a good deal of speculation that even if the Chinese government isn't directly involved in some of these attacks, they encourage their citizens to do them, and perhaps reap the benefit of, e. g., the hacking of some US Military networks. The hackers are made to feel patriotic and proud, even just for harassment-type hacking. Not proven, of course, and hard to prove.

EDIT: this is really pathetic. I was looking at one of RSnake's articles and noticed a comment where someone mentioned "zf05". I generally Google any acronym I don't know, so I Googled this one too... look what I found. hxxp://sucuri.net/mirror/zf05.txt
It doesn't get much sicker than this... (my content filter was absolutely screaming about this page, to boot)

Note that the URL was edited, by moi, to be non-functional. That's standard practice here: If someone cites a malicious URL, to expose it, warn people, or ask questions about how to guard against the exploit, the poster usually tweaks it so that if a novice unknowingly clicks it, they don't get harmed. Knowledgeable users who know how to go there safely will replace the proper prefix. If the poster doesn't tweak it, we do, if we catch it.

Lots of black-hat hacker sites around. (That's where the "script kiddies" sometimes get their goodies.) However, I've got so many lockdowns in place, I got no alarms whatsoever, and the page displayed in plain text, like a typewritten sheet. Of course, scripting and other executable content wasn't allowed.

The parody of "Paint It Black" by The Rolling Stones would have been kind of funny, if they weren't such sick people.

rock on, fellow geeks & uber-geeks!

Rock on, indeed!

[computerfreaker]

You can't force an HTTPS connection if the server won't accept such requests. So if the school's site is unsecured, which it sounds like, you'd have to convince them to secure it, or at least to allow secure requests. Only after they will present or allow HTTPS connections can you use the Force Secure Cookies.

It's unsecured, and trying a https:// connection results in an "Invalid security certificate" warning. Side note, that seems to be the standard thing when I try to use https:// with any site that normally uses http://... I tried https:// on a few sites (school sites, forums, etc. - even this forum) and the standard reaction was "Invalid security certificate" (and with good reason - the cert was issued for different subdomains, every time; generally secure.somesite.com)

Note the wording in the Secure Cookies tab:

Force encryption for all the cookies set over HTTPS...

Very few non-security people seem to know it, but some unsecured sites will accept a secure request. For example, consider http://update.microsoft.com. I've never seen or heard this fact anywhere else, but just by experimentation, I found that you can use, and bookmark, https://update.microsoft.com, and you will indeed get a secure connection, even with Firefox.

Interesting!
Just tried it with Google Search, but no luck...

You'll also get a browser warning of a name mismatch on the security certificate. I notified them of this a year or so ago. They said nothing, but fixed it a few months later. Not even a "thanks". Now, the mismatch error is back. Guess when they renewed the certificate, they made the same mistake. Can't teach an old dog new tricks....

With MS, apparently you can't teach them any tricks...
So... since you're ignoring the mismatch on update.microsoft.com, it's OK for me to ignore it on other sites? (School site, trusted forums, etc.)
I've always taken the security mismatch as a "Get me out of here" flag...

That's one reason I get my MS updates manually with Fx instead of using Win Update. (ots of other reasons. Not being pushed to take IE 8, etc.)

Think I'll do the same from now on. I recently used Windows Update to pick up a couple of "critical" (MS's wording) update packs, and got the .NET addon pushed along with it... boy, was I mad. Had no trouble removing it, fortunately...

(Script kiddies:)

yes, it's sad... (especially since they could get more feelings of power, control, accomplishment, whatever by creating some useful software and releasing it...

True, but the reason behind the derogatory nick "script kiddy" was that some of them had no programming skills at all, but just went to some warez site, copy/pasted a malicious code, emailed it out or sent it en masse over the Net, back when a lot of Win machines had ports open by default (before they turned on the firewall by default in 2004 with XP's SP2).

Oh, so they don't even know how to write a program, malicious or otherwise... I see...

[quote="computerfreaker"that's what I'm doing now, creating open-source software. Very satisfying to look back at a few hundred lines of code)

Cool. When it's ready, PM me. Love to see it.[/quote]
Sure, I'll be happy to!
I actually have one closed-source app out right now, and it works pretty well, but the GUI is awful and it needs a few more functions (plus some other minor changes), then I'm going to send it out as FOSS (free, open-source software ).

I think Giorgio has a right to be proud of his 20,000 or so lines of open-source code in NoScript, don't you?

Definitely.
He's also got every right to be proud of the hundreds of thousands of people who use NoScript, as well as the fact that some (including me) who have it as their primary level of protection... and also the constant headaches NoScript causes crackers. I recently visited a black-hat forum, and saw this exchange (quoted from memory, probably not exact but close enough)...
"Can someone give me the basics of XSS attacks?"
"Search the site for vulnerabilities, look at the coding competitions and see how it's done, figure out how to bypass NoScript"

My own pet peeve is sw bloat. For a little anti-bloat project of my own, see http://home.earthlink.net/~tomt33/id1.html.

That's pretty cool, I never knew software could be dissected like that... maybe time for me to prod some of the apps on my computer.

Especially sad is the way a lot of governments ignore the spam servers (Russia, China, other Asian countries... then the classic "Nigerian prince" scam)

There's a good deal of speculation that even if the Chinese government isn't directly involved in some of these attacks, they encourage their citizens to do them, and perhaps reap the benefit of, e. g., the hacking of some US Military networks. The hackers are made to feel patriotic and proud, even just for harassment-type hacking. Not proven, of course, and hard to prove.

I've heard that... including in the power-grid cracking. Wouldn't surprise me if the Chinese government really was behind it... (dang, those commies are good at propaganda, brainwashing, kind of leading & controlling people without them realizing it)

Note that the URL was edited, by moi, to be non-functional. That's standard practice here: If someone cites a malicious URL, to expose it, warn people, or ask questions about how to guard against the exploit, the poster usually tweaks it so that if a novice unknowingly clicks it, they don't get harmed. Knowledgeable users who know how to go there safely will replace the proper prefix. If the poster doesn't tweak it, we do, if we catch it.

My apologies for not doing that myself. I'll remember that in the future...

Lots of black-hat hacker sites around. (That's where the "script kiddies" sometimes get their goodies.) However, I've got so many lockdowns in place, I got no alarms whatsoever, and the page displayed in plain text, like a typewritten sheet. Of course, scripting and other executable content wasn't allowed.

No safety alarms, just content alarms (i.e. bad words )
(NoScript also said there weren't any scripts on the page, and it was just a .txt file, so I doubt there could be any scripts in there)

The parody of "Paint It Black" by The Rolling Stones would have been kind of funny, if they weren't such sick people.

Sick is right... some of the things they said about security researchers were shockingly shameful & probably totally untrue...

G2G, it's 8:30 here and I have to get to school... ttyl!

[Tom T.]

You'll also get a browser warning of a name mismatch on the security certificate. I notified them of this a year or so ago. They said nothing, but fixed it a few months later. Not even a "thanks". Now, the mismatch error is back. Guess when they renewed the certificate, they made the same mistake. Can't teach an old dog new tricks....

With MS, apparently you can't teach them any tricks...
So... since you're ignoring the mismatch on update.microsoft.com, it's OK for me to ignore it on other sites? (School site, trusted forums, etc.)
I've always taken the security mismatch as a "Get me out of here" flag...

Just checked, and it seems like they've fixed it again. Maybe someone else complained this time.

So long as the mismatch is still properly within the domain, and is just the typical:
Site name: secure.example.com
Cert issued to: index.example.com or just example.com etc.

Assuming it's a reputable, respected site (special exception for MS, of course, ) I'll assume that they were just careless in the application for the SSL cert, because, as you mentioned, it's such a common error. But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it. But I've never seen that, probably because I tend to stick to well-known, reputable sites anyway. And sure, email the webmaster and let him/her know that their site is giving browser warnings. That should embarrass them into correcting it, you'd hope.

That's one reason I get my MS updates manually with Fx instead of using Win Update. (ots of other reasons. Not being pushed to take IE 8, etc.)

Think I'll do the same from now on. I recently used Windows Update to pick up a couple of "critical" (MS's wording) update packs, and got the .NET addon pushed along with it... boy, was I mad. Had no trouble removing it, fortunately...

Well, once I learned that MS will push garbage on you (several years ago), I set AutoUpdate to "notify only, don't d/l or install." Then I would examine every suggested update, uncheck the ones I didn't want, check "Don't show me again..." ... Since I was vetting them all manually anyway, it's just as fast -- or faster -- to skip the ActiveX scan of the machine and the rejection of the unwanted, and just search MS Downloads for all (in my case) Win XP "windows and security updates" issued in the last 30 days, sorted by date order/newest first, read the security bulletins, and if it's applicable, just manually d/l the installer. A lot quicker d/l that way, too, vs letting AU do it for you. Run them, rebooot, etc. IMHO. Not official forum advice. YMMV.

I recently visited a black-hat forum, and saw this exchange (quoted from memory, probably not exact but close enough)...
"Can someone give me the basics of XSS attacks?"
"Search the site for vulnerabilities, look at the coding competitions and see how it's done, figure out how to bypass NoScript"

That's the highest possible compliment.

It also tells us how many such exploits there must be for every machine not running NoScript.

My own pet peeve is sw bloat. For a little anti-bloat project of my own, see http://home.earthlink.net/~tomt33/id1.html.

That's pretty cool, I never knew software could be dissected like that... maybe time for me to prod some of the apps on my computer.

Depends on how badly you need to reclaim disk space, or how fanatic you are about keeping your drive clean and small. My *entire* HDD uses under 1 GB -- about 940 MB, but I've had it as low as 825. The Windows folder was cut from 2700 MB to 275. Combined with no more swapping RAM to disk, as mentioned above, this makes a bottom-end laptop much faster than machines costing 2-3x as much, running in typical mode. BUT make sure you know what you're doing; back up the entire thing first with full-disk-imaging sw, PLUS drag-n-drop backups of all folders and files to CD or DVD, in case they're ever needed. Go one step at a time; test everything, and wait a week or two to make sure nothing breaks before taking another bite. Nothing worse than making changes, then two weeks later your media player or pdf reader or whatever breaks, and you can't associate it with which change. Not official forum advice. Advanced users only, at your own risk. I can PM you the Windows slimming guide that I used, with some caveats, as I'd rather not publicly encourage it, or you can do a search.

Lots of black-hat hacker sites around. (That's where the "script kiddies" sometimes get their goodies.) However, I've got so many lockdowns in place, I got no alarms whatsoever, and the page displayed in plain text, like a typewritten sheet. Of course, scripting and other executable content wasn't allowed.

No safety alarms, just content alarms (i.e. bad words )
(NoScript also said there weren't any scripts on the page, and it was just a .txt file, so I doubt there could be any scripts in there)

Well, there was *code* for scripts, but since none of them were actually trying to load or run, NS wasn't concerned. It just stops those actually trying to run.

[computerfreaker]

Just checked, and it seems like they've fixed it again. Maybe someone else complained this time.

yes, it's fixed until the next time (3 months life expectancy on that fix, given it's MS... )

So long as the mismatch is still properly within the domain, and is just the typical:
Site name: secure.example.com
Cert issued to: index.example.com or just example.com etc.

yep, that's pretty much what I'm seeing...
Example, REALbasic forums
Site name: forums.realsoftware.com
Cert issued to: secure.realsoftware.com

Assuming it's a reputable, respected site (special exception for MS, of course, ) I'll assume that they were just careless in the application for the SSL cert, because, as you mentioned, it's such a common error. But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it.

Who would I report it to? The owner of example.com, in this case?

But I've never seen that, probably because I tend to stick to well-known, reputable sites anyway. And sure, email the webmaster and let him/her know that their site is giving browser warnings. That should embarrass them into correcting it, you'd hope.

I've never seen the "outside-domain cert" thing, but plenty of "inside-domain cert" errors, especially since I learned about cookie hijacking and started trying to move most/all of my traffic to https://

That's one reason I get my MS updates manually with Fx instead of using Win Update. (ots of other reasons. Not being pushed to take IE 8, etc.)

Think I'll do the same from now on. I recently used Windows Update to pick up a couple of "critical" (MS's wording) update packs, and got the .NET addon pushed along with it... boy, was I mad. Had no trouble removing it, fortunately...

Well, once I learned that MS will push garbage on you (several years ago), I set AutoUpdate to "notify only, don't d/l or install." Then I would examine every suggested update, uncheck the ones I didn't want, check "Don't show me again..." ... Since I was vetting them all manually anyway, it's just as fast -- or faster -- to skip the ActiveX scan of the machine and the rejection of the unwanted, and just search MS Downloads for all (in my case) Win XP "windows and security updates" issued in the last 30 days, sorted by date order/newest first, read the security bulletins, and if it's applicable, just manually d/l the installer. A lot quicker d/l that way, too, vs letting AU do it for you. Run them, rebooot, etc. IMHO. Not official forum advice. YMMV.

Sounds good. Especially since I'm on a relatively new laptop, I have to wonder how hardened it is... going to have to take a few hours and look through the patches to see what's missing.

I recently visited a black-hat forum, and saw this exchange (quoted from memory, probably not exact but close enough)...
"Can someone give me the basics of XSS attacks?"
"Search the site for vulnerabilities, look at the coding competitions and see how it's done, figure out how to bypass NoScript"

That's the highest possible compliment.

Thought so, that's why I quoted it

It also tells us how many such exploits there must be for every machine not running NoScript.

Unfortunately, yes... what a pity; to paraphrase a well-known lament, "for the sake of a 500 KB download a computer was lost." (And not just one, but probably thousands)

My own pet peeve is sw bloat. For a little anti-bloat project of my own, see http://home.earthlink.net/~tomt33/id1.html.

That's pretty cool, I never knew software could be dissected like that... maybe time for me to prod some of the apps on my computer.

Depends on how badly you need to reclaim disk space, or how fanatic you are about keeping your drive clean and small. My *entire* HDD uses under 1 GB -- about 940 MB, but I've had it as low as 825. The Windows folder was cut from 2700 MB to 275. Combined with no more swapping RAM to disk, as mentioned above, this makes a bottom-end laptop much faster than machines costing 2-3x as much, running in typical mode. BUT make sure you know what you're doing; back up the entire thing first with full-disk-imaging sw, PLUS drag-n-drop backups of all folders and files to CD or DVD, in case they're ever needed. Go one step at a time; test everything, and wait a week or two to make sure nothing breaks before taking another bite. Nothing worse than making changes, then two weeks later your media player or pdf reader or whatever breaks, and you can't associate it with which change. Not official forum advice. Advanced users only, at your own risk. I can PM you the Windows slimming guide that I used, with some caveats, as I'd rather not publicly encourage it, or you can do a search.

Sure, I'd love to see the guide. Might not use it now, but it will probably come in handy later on... and I can definitely learn some things from it. Thanks!

Lots of black-hat hacker sites around. (That's where the "script kiddies" sometimes get their goodies.) However, I've got so many lockdowns in place, I got no alarms whatsoever, and the page displayed in plain text, like a typewritten sheet. Of course, scripting and other executable content wasn't allowed.

No safety alarms, just content alarms (i.e. bad words )
(NoScript also said there weren't any scripts on the page, and it was just a .txt file, so I doubt there could be any scripts in there)

Well, there was *code* for scripts, but since none of them were actually trying to load or run, NS wasn't concerned. It just stops those actually trying to run.

That's what I meant - no actual scripts, just code for them...

[Tom T.]

But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it.

Who would I report it to? The owner of example.com, in this case?

Well, reporting it to beijing.cn probably wouldn't do much good. .. and yeah, the owners of example.com would probably like to know about it.

(MS Update)

Sounds good. Especially since I'm on a relatively new laptop, I have to wonder how hardened it is... going to have to take a few hours and look through the patches to see what's missing.

*That* would be one time I'd use Auto-Up, but on "notify only", then check the list for the good, the bad (SP 3, IE 7, IE 8) and the ugly (.NET, etc.). More efficient than looking through a couple of year's worth of updates, or whenever your OEM's installed Win image was dated.

It also tells us how many such exploits there must be for every machine not running NoScript.

Unfortunately, yes... what a pity; to paraphrase a well-known lament, "for the sake of a 500 KB download a computer was lost." (And not just one, but probably thousands)

Millions. Several random surveys have shown that 80-90% of home PCs have some kind of malware. And then, as per discussion on this site, many JS attacks operate directly in the browser and leave no traces on your HD, only on your bank account, credit cards....

(Bloat:)

Sure, I'd love to see the guide. Might not use it now, but it will probably come in handy later on... and I can definitely learn some things from it. Thanks!

Will PM to you.

[computerfreaker]

But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it.

Who would I report it to? The owner of example.com, in this case?

Well, reporting it to beijing.cn probably wouldn't do much good. .. and yeah, the owners of example.com would probably like to know about it.

Well, I wasn't sure if there was a sort of central authority to report it to (sort of like reporting a scam business to the Better Business Bureau), or if it was a "report to the website admin" thing. Now I know, thanks!

(MS Update)

Sounds good. Especially since I'm on a relatively new laptop, I have to wonder how hardened it is... going to have to take a few hours and look through the patches to see what's missing.

*That* would be one time I'd use Auto-Up, but on "notify only", then check the list for the good, the bad (SP 3, IE 7, IE 8) and the ugly (.NET, etc.). More efficient than looking through a couple of year's worth of updates, or whenever your OEM's installed Win image was dated.

Lucky I had wireless Internet today (went to the library), as I had 14 updates waiting for me... they all seemed fairly important (remote code execution patches), but I need to prod the computer and see if anything got screwed up. A .NET update got installed too (another "critical patch", fixing a "remote code execution vulnerability", so I decided to play it safe, given the huge .NET attack vector), so I might have to re-un-install the .NET plugin...

It also tells us how many such exploits there must be for every machine not running NoScript.

Unfortunately, yes... what a pity; to paraphrase a well-known lament, "for the sake of a 500 KB download a computer was lost." (And not just one, but probably thousands)

Millions. Several random surveys have shown that 80-90% of home PCs have some kind of malware. And then, as per discussion on this site, many JS attacks operate directly in the browser and leave no traces on your HD, only on your bank account, credit cards....

Oh my goodness, that really is a lot of computers...

quote="Tom T."](Bloat:)

Sure, I'd love to see the guide. Might not use it now, but it will probably come in handy later on... and I can definitely learn some things from it. Thanks!

Will PM to you.[/quote]
Got it & replied, thanks a lot!

[Tom T.]

But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it.

Who would I report it to? The owner of example.com, in this case?

Well, reporting it to beijing.cn probably wouldn't do much good. .. and yeah, the owners of example.com would probably like to know about it.

Well, I wasn't sure if there was a sort of central authority to report it to (sort of like reporting a scam business to the Better Business Bureau), or if it was a "report to the website admin" thing. Now I know, thanks!

I think we were both kind of kidding there -- you're not really going to see beijing.cn. But yeah, the FBI would want to know. -- as with any other scam.

Scarier is a *forged* certificate, with an unpatched Win vuln allowing someone to post a forged PayPal cert on the Net. You'd have no way of knowing. MS finally patched the vuln recently after that bad publicity -- ten weeks after the vuln was disclosed.

If it's somewhere in between, then aside from the site, you might contact the authority who issued the cert - Verisign, Equifax, etc.

But as you said, we almost never see those. Usually what we see is the simple mistakes within the domain, not complete mismatches. Phishing attacks often make some phony padlock icon, knowing most people don't check the cert. Hence things like browser address bar color changes, etc. Safest is: don't click links to go to your bank or whatever. Hand-type it, or bookmark it and make sure that what comes up in the address bar is correct.

Lucky I had wireless Internet today (went to the library), as I had 14 updates waiting for me... they all seemed fairly important (remote code execution patches), but I need to prod the computer and see if anything got screwed up. A .NET update got installed too (another "critical patch", fixing a "remote code execution vulnerability", so I decided to play it safe, given the huge .NET attack vector), so I might have to re-un-install the .NET plugin...

Not bragging or anything, but when I first heard about .NET, I thought, "That's a bad idea." (Well, considering the source, it doesn't take a genius. )
So when offered 1.0 on the machine from 2005, I "just said no", and have ever since. When it came installed OOB on a puter bought in 2008, it was uninstalled before the machine ever hit the Net, and before MS kept making it harder and harder to uninstall. And somehow, I've never missed it...

Now that MS has unleashed a second attack on Fx, Mozilla has developed the disablement of such "features". Don't miss the linked article and some of the links in it. (That's Giorgio's blog, also "must-read" for the security-minded.)

[computerfreaker]

But if it's outside the domain --- example.com's cert issued to beijing.cn , yeah, run. And report it.

Who would I report it to? The owner of example.com, in this case?

Well, reporting it to beijing.cn probably wouldn't do much good. .. and yeah, the owners of example.com would probably like to know about it.

Well, I wasn't sure if there was a sort of central authority to report it to (sort of like reporting a scam business to the Better Business Bureau), or if it was a "report to the website admin" thing. Now I know, thanks!

I think we were both kind of kidding there -- you're not really going to see beijing.cn. But yeah, the FBI would want to know. -- as with any other scam.

Wow, hadn't even thought of the FBI...

Scarier is a *forged* certificate, with an unpatched Win vuln allowing someone to post a forged PayPal cert on the Net. You'd have no way of knowing. MS finally patched the vuln recently after that bad publicity -- ten weeks after the vuln was disclosed.

Well, I heard we Fx users were safe - Mozilla fixed the bug in Fx, but IE, Safari and Chrome were left out in the cold until MS finally decided to mobilize its big fat bulk and do something. <sarcasm>10 weeks is actually a fairly good time for MS, isn't it? </sarcasm>

If it's somewhere in between, then aside from the site, you might contact the authority who issued the cert - Verisign, Equifax, etc.

Good idea, since the cert authority will probably want to change the compromised site's cert...

But as you said, we almost never see those. Usually what we see is the simple mistakes within the domain, not complete mismatches.

I see the in-domain mistakes all the time (including here on the Informaction forums) - even for my school site.

Phishing attacks often make some phony padlock icon, knowing most people don't check the cert. Hence things like browser address bar color changes, etc.

I've developed the habit of always looking at the Fx location bar to see if the address bar's changed color - if the page isn't using SSL, I try to remedy things myself (going to https://somesite.com instead of http://somesite.com)...

Safest is: don't click links to go to your bank or whatever. Hand-type it, or bookmark it and make sure that what comes up in the address bar is correct.

I generally bookmark sites like that... too much margin for error otherwise. Stumbled across hxxp://googe.com (disabled link by changing http to hxxp, might be malicious) - looks exactly like google search. Might be, or might not be... wouldn't care to find out the hard way.

Lucky I had wireless Internet today (went to the library), as I had 14 updates waiting for me... they all seemed fairly important (remote code execution patches), but I need to prod the computer and see if anything got screwed up. A .NET update got installed too (another "critical patch", fixing a "remote code execution vulnerability", so I decided to play it safe, given the huge .NET attack vector), so I might have to re-un-install the .NET plugin...

Not bragging or anything, but when I first heard about .NET, I thought, "That's a bad idea." (Well, considering the source, it doesn't take a genius. )
So when offered 1.0 on the machine from 2005, I "just said no", and have ever since. When it came installed OOB on a puter bought in 2008, it was uninstalled before the machine ever hit the Net, and before MS kept making it harder and harder to uninstall. And somehow, I've never missed it...

I uninstalled the .NET Fx addon, but left the main program/framework there... a few apps I use seem to rely on it somewhat. Wish I could ditch the stinking thing though... (probably would if I knew it wouldn't break anything)

Now that MS has unleashed a second attack on Fx, Mozilla has developed the disablement of such "features". Don't miss the linked article and some of the links in it. (That's Giorgio's blog, also "must-read" for the security-minded.)

Funny you should mention that article, I just saw it yesterday! (Even after Fx automatically re-enabled the Windows Presentation Foundation plugin, I manually disabled it - don't want that enabled unless it's absolutely necessary)
And yep, I've seen Mr. Maone's blog before - you're dead-on, "must-read". Even for the non-security-minded, it's got some very interesting stuff... (side note, I first learned about the "Blue Pill" there, fascinating technology!)