[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Date: Fri, 19 May 2006 12:26:15 -0400

On 5/19/06, Shane Forsythe <shane@xxxxxxxxxxx> wrote:

I do not know if this is a bug in firefox or a phishing/hack or just
somehow misconfigured website.

Go to https://onestopshop.wpbgov.com/utilities/default.asp

Mozilla/firefox/konqueror , in windows or linux , all popup a warning
about invalid certificate, unable to verify the CA certificate.
Examing the certificate details, show the *Verisign* CA certificate
valid from 4/16/1997 to 1/7/2004.

<--snip-->

Can anyone verify reproduce those results?


I'm seeing the same thing.  I got curious and started looking at some
packet captures.

The same certificate chain is being sent to firefox as is sent to IE.
The chain is like this:

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

This is a trusted root CA that is valid until 2028.
           Not Before: Jan 29 00:00:00 1996 GMT
           Not After : Aug  1 23:59:59 2028 GMT


/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign

This is an intermediate CA that expired in 2004.
           Not Before: Apr 17 00:00:00 1997 GMT
           Not After : Jan  7 23:59:59 2004 GMT


/C=US/ST=Florida/L=West Palm Beach/O=City of West Palm
Beach/OU=Construction Services Department/OU=Terms of use at
www.verisign.com/rpa (c)05/CN=onestopshop.wpbgov.com

This is the server certificate, which is still valid.
           Not Before: Sep 19 00:00:00 2005 GMT
           Not After : Oct  7 23:59:59 2006 GMT


Both OpenSSL and firefox fail the certificate verification because the
intermediate certificate has expired.

There are two rather weird things going on here.  The first is that
Verisign appears to have issued a certificate to West Palm Beach that
was signed with an expired intermediate CA certificate.  The second is
that IE doesn't complain about the expired intermediate CA.

I have a lot of trouble believing that Verisign goes around handing
out certificates that were signed with expired CA certificates.  We
must be missing something.

Regards,
Brian

- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
  - From: Brian Eaton

References:
- [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
  - From: Shane Forsythe

Prev by Date: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Next by Date: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Previous by thread: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Next by thread: Re: [WEB SECURITY] Misconfigured site, phishing , or bug in Newest firefox???
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site