Page 1 of 1
Error prompt - why?
Posted: Sun Jul 19, 2009 7:56 pm
by luntrus
Hi forum friends,
While working my Shiretoko browser on aalerted webpage that was then checked and launched via Perspectives I got the following prompt:
"done_quering_notaries error Type Error: gSSL Status is null"
What should I check or where should I look for the origin of this error message?
Is this a MS bug or some form of attack?
My encryption report from
http://www.fortify.net/sslcheck.html:
# cipher, 256-bit key
# AES cipher, 192-bit key
# AES cipher, 128-bit key
# RC4 cipher, 128-bit key
# RC2 cipher, 128-bit key
# Triple-DES cipher, 168-bit key
# IDEA cipher, 128-bit key
# DES cipher, 56-bit key
Get an error here also:
https://connect.sigen-ca.si/index-en.htm Perspectives then redirects to a Not found,
luntrus
Re: Error prompt - why?
Posted: Sun Jul 19, 2009 8:09 pm
by therube
(I know nothing of Perspectives.)
With the latter link, I get an "This Connection is Untrusted" warning.
If I accept the certificate, I then end up at a "404" (The requested URL was not found on this server. Maybe the link to that file has changed.).
So, just as it says, thinking you have an outdated link.
Re: Error prompt - why?
Posted: Sun Jul 19, 2009 8:52 pm
by Alan Baxter
I don't use Perspectives anymore. I couldn't connect with two of its four servers at one time in the past and I suspect that may have been causing me some performance problems. I don't think it did anything for me anyhow, since I'm using a desktop computer connected to my ISP with a wired DSL connection.
Using the latest Shiretoko nightly, my SSL Encryption Report from Fortify is the same as yours.
https://connect.sigen-ca.si/index-en.htm is not a good link. Append an "l" to it, i.e. use
https://connect.sigen-ca.si/index-en.html. You still need to manually allow the certificate though. BTW, I did all my testing in a sandbox. I'm won't accept an untrusted certificate otherwise.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
Re: Error prompt - why?
Posted: Sun Jul 19, 2009 8:56 pm
by therube
I won't accept an untrusted certificate otherwise.
So long as you do not set the certificate "permanent", wouldn't it be session only in any case?
Re: Error prompt - why?
Posted: Sun Jul 19, 2009 9:03 pm
by luntrus
Hi Alan Baxter,
Thanks for the explanation.
It's important to remember the problem this approach, perspectives, is trying to solve. The classic case is detecting and avoiding a man-in-the-middle attack against SSL while browsing at an Internet cafe. This approach will not help if someone creates a Web site advertising "avoid foreclosure!"
I quote here from:
http://taosecurity.blogspot.com/2008/10 ... tives.html
By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a user would have reason to suspect that an attacker has compromised the connection...
"When Firefox users click on a website that uses a self-signed certificate, they get a security error message that leaves many people bewildered," [author[ Andersen said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.
luntrus
Re: Error prompt - why?
Posted: Sun Jul 19, 2009 9:11 pm
by Alan Baxter
therube wrote:I won't accept an untrusted certificate otherwise.
So long as you do not set the certificate "permanent", wouldn't it be session only in any case?
I suppose. But why expose myself for even a session to a possibly malicious site?