Error prompt - why?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Error prompt - why?

Post by luntrus »

Hi forum friends,

While working my Shiretoko browser on aalerted webpage that was then checked and launched via Perspectives I got the following prompt:
"done_quering_notaries error Type Error: gSSL Status is null"
What should I check or where should I look for the origin of this error message?
Is this a MS bug or some form of attack?
My encryption report from http://www.fortify.net/sslcheck.html:
# cipher, 256-bit key
# AES cipher, 192-bit key
# AES cipher, 128-bit key
# RC4 cipher, 128-bit key
# RC2 cipher, 128-bit key
# Triple-DES cipher, 168-bit key
# IDEA cipher, 128-bit key
# DES cipher, 56-bit key
Get an error here also: https://connect.sigen-ca.si/index-en.htm Perspectives then redirects to a Not found,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Error prompt - why?

Post by therube »

(I know nothing of Perspectives.)

With the latter link, I get an "This Connection is Untrusted" warning.
If I accept the certificate, I then end up at a "404" (The requested URL was not found on this server. Maybe the link to that file has changed.).

So, just as it says, thinking you have an outdated link.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Error prompt - why?

Post by Alan Baxter »

I don't use Perspectives anymore. I couldn't connect with two of its four servers at one time in the past and I suspect that may have been causing me some performance problems. I don't think it did anything for me anyhow, since I'm using a desktop computer connected to my ISP with a wired DSL connection.

Using the latest Shiretoko nightly, my SSL Encryption Report from Fortify is the same as yours.

https://connect.sigen-ca.si/index-en.htm is not a good link. Append an "l" to it, i.e. use https://connect.sigen-ca.si/index-en.html. You still need to manually allow the certificate though. BTW, I did all my testing in a sandbox. I'm won't accept an untrusted certificate otherwise.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Error prompt - why?

Post by therube »

I won't accept an untrusted certificate otherwise.
So long as you do not set the certificate "permanent", wouldn't it be session only in any case?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Error prompt - why?

Post by luntrus »

Hi Alan Baxter,

Thanks for the explanation.
It's important to remember the problem this approach, perspectives, is trying to solve. The classic case is detecting and avoiding a man-in-the-middle attack against SSL while browsing at an Internet cafe. This approach will not help if someone creates a Web site advertising "avoid foreclosure!"
I quote here from: http://taosecurity.blogspot.com/2008/10 ... tives.html
By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a user would have reason to suspect that an attacker has compromised the connection...

"When Firefox users click on a website that uses a self-signed certificate, they get a security error message that leaves many people bewildered," [author[ Andersen said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Error prompt - why?

Post by Alan Baxter »

therube wrote:
I won't accept an untrusted certificate otherwise.
So long as you do not set the certificate "permanent", wouldn't it be session only in any case?
I suppose. But why expose myself for even a session to a possibly malicious site?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Post Reply