handling SSL certificates

[only1ryan]

Recently, NoScript protected me from a possible XSS attack. At the end I will discuss the attack. While looking through the log output, something else caught my eye. Let me preface it in the following way.

From using Firefox we know that if we try to visit a page over HTTPS and there is a problem with the connection, certificate, etc. then there will be a warning message which tells us the connection is untrusted and presents us with some options. The options are something like

1. get me out of here
2. show me the details
3. I understand the risks and will click on through

The log report contained the following.

For the sake of argument, let me call the website www.mfs.com, where mfs stands for "my favorite site." I connected to https://www.mfs.com without difficulty. In NoScript I allowed the script for https://www.mfs.com. I allowed another script, https://ssl-mfs-blahblahblah.com, which I needed to use the website properly. (Since I use RequestPolicy also, I needed to let the two sites talk to one another.) The website seemed to function properly. Later, when I looked at the log report I noticed the following:

ssl-mfs-blahblahblah.com:443 uses an invalid security certificate.
The certificate is only valid for *.someothersite.com
(Error code: ssl_error_bad_cert_domain)
<unknown>

What happened? If I had tried to visit ssl-mfs-blahblahblah.com directly then would Firefox have presented the usual warning message? If so, did NoScript choose the “get me out of here" option or the “I understand the risks and will click on through" option? Is there a way for NoScript to notify me of such a situation and let me choose the course of action?

Otherwise, as for the possible XSS attack, on https://www.mfs.com I opened a link to www.somethingelse.com. It offered a choice between http://www.somethingelse.com and https://www.somethingelse.com. That triggered the alert from NoScript. I closed the link. The log report said NoScript “Sanitized suspicious upload...transformed into a download-only GET request.”


Thanks,


Ryan


(P.S. Later I did visit ssl-mfs-blahblahblah.com and received such a warning from Firefox.)

[Thrawn]

Thanks for the vote of confidence, but actually the SSL warning(s) didn't have anything to do with NoScript. Perhaps it was actually an attack, or perhaps the site doesn't have SSL configured correctly and is using the certificate of its hosting provider, etc.

The XSS warning, however, comes from NoScript. If you can reproduce it, then please try to copy the full message from the Browser Console (Ctrl+Shift+J), so that we can examine it to determine whether it seems to be genuine or a false positive.

[only1ryan]

Sorry for the delay. The websites in questions are http://chk.tbe.taleo.net and https://chk.tbe.taleo.net. Taleo is used for searching for jobs online.

[only1ryan]

Sorry. I meant http://chk.tbe.taleo.net and https://chk.tbe.taleo.net.

[barbaz]

Sorry. I meant http://chk.tbe.taleo.net and https://chk.tbe.taleo.net.

Fixed, because who knows what could be on a "wrong" domain...

[Thrawn]

I checked out the site, but didn't see anything on the login page except for the top-level domain and Google Analytics, and no XSS warning.

@only1ryan: Does the XSS warning occur after logging in?

[Guest]

I never got to the point of logging in. I was looking for some jobs I might apply to. After I got all of the warnings I bailed. A few days later I returned and tried again. The same warnings appeared.