[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???

From: Shane Forsythe <shane@xxxxxxxxxxx>
Subject: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Date: Fri, 19 May 2006 11:10:00 -0500

I do not know if this is a bug in firefox or a phishing/hack or just somehow misconfigured website.

Go to https://onestopshop.wpbgov.com/utilities/default.asp

Mozilla/firefox/konqueror , in windows or linux , all popup a warning about invalid certificate, unable to verify the CA certificate. Examing the certificate details, show the *Verisign* CA certificate valid from 4/16/1997 to 1/7/2004.

Using Internet Explorer, there is no complaint at all about the website, and examine the certificate shows an expiration date in the year 2011.

Specifically I get a popup titled "Website Certified by an unknown authority"

From that popup alert, if I click "examine certificate" button, then click the "details" tab Under Certificate Hiearchy I see ->Builtin Object Token: *Verisign* Class 3 Public Primary Certification Authority ---> OU=www.*verisign*.com/CPS Incorp.by Ref.LIABILITY LTD.(c)97 *VeriSign*, OU=VeriSi... ------>onestopshop.wpgov.com

If I highlight the second entry (*verisign*.com), under "Certificate Fields" I see this -Validity --- Not Before = 4/16/1997 --- Not After = 1/7/2004

Doing basically the same similar procedure under Internet Explorer, Windows XP SP2 ... examine the certificate seems to show the "correct" dates for the CA certificate (expiring in 2011). Any suggestions or thoughts as to which is right? This site worked with firefox last month (last time I paid my utility bill) ... seems like only since upgraded to 1.5.0.3 that this occured.

I get the same results (invalid) from 3 Windows XP SP2 machine running Firefox 1.5.0.3 , and 1 linux boxes running same version of firefox. Another friend tried for me on his Linux box using konqueror and got same thing. Yet posting on the firefox message board, someone replied they had no problem with that site.

Can anyone verify reproduce those results?


--
Shane Forsythe
System Administrator
Florida Center For Environmental Studies
Florida Atlantic University
3932 RCA Blvd., Suite 3210
Palm Beach Gardens, FL 33410
Tel 561 799 8558
Email: shane@xxxxxxxxxxx
Website: www.ces.fau.edu

- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
  - From: Brian Eaton

Prev by Date: [WEB SECURITY] Seeking Volunteers for the WASC Threat Classification v2
Next by Date: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Previous by thread: [WEB SECURITY] Seeking Volunteers for the WASC Threat Classification v2
Next by thread: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site