Kitz Forum

Internet => Web Browsing & Email => Topic started by: chrissie on July 08, 2012, 10:30:48 PM

Title: Security Certificates
Post by: chrissie on July 08, 2012, 10:30:48 PM
Just recently I've been getting notification from IE saying, "To protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors".  I've had this happen on sites I usually use but has only just started happening, two are Tesco's shopping and Orange (my ISP) so I can't understand this.  On my laptop I have Win 7 Home with IE 8 and on the desktop Win XP with IE 8.  I just wondered if there is a problem with IE or these sites, seems strange to me so not sure about this (especially being a computer dummy  ;))

Anyone had similar to this or know what I should do regarding it?  TIA for your help.

Chrissie
Title: Re: Security Certificates
Post by: kitz on July 09, 2012, 03:51:05 PM
Is the problem still there Chrissie.   Ive just tried going to the sites but they seem ok from here.
Is it doing it on both the desktop and laptop?

This can sometimes happen if a website is late updating their certificate, but I find it strange that 2 major sites would both be displaying the problem at the same time.   
I can also happen if a site is displaying 3rd party adverts from an untrusted site.   



Title: Re: Security Certificates
Post by: chrissie on July 09, 2012, 10:26:23 PM
Hi Kitz

I haven't really been on today to say if it's happening to, but yes it was on both laptop and desktop though I think it happened more on the desktop yesterday.  I thought it a problem with my Avast security at first because that's what I have on the desktop then it happened on the laptop too.  Another thing I'm getting from when I sign into yahoo mail is often (on both computers) a box will come up with "do you want to receive only secure items from this site" (or words to that effect) so I click yes.  I was wondering if a problem with IE but not sure and like you I find it strange that two major sites would have a similar "problem".  Will let you know if it happens again and on what site.  Thanks for your interest.

Chrissie
Title: Re: Security Certificates
Post by: asbokid on July 09, 2012, 10:47:44 PM
Without wishing to be alarmist, a Man-In-The-Middle attack can exhibit the same symptoms.    The hacker diverts or poisons a computer's nameserver (DNS) requests. When we type "www.orange.com" into the browser, a DNS query is made automatically to a nameserver. That nameserver usually belongs to our ISP.  The browser needs to 'resolve' the IP address for www.orange.com, much the same as we use a phonebook to find a telephone number for a named person.    However, in a Man-In-The-Middle attack, the DNS request is redirected to a nameserver under the control of Evil Edna.  That rogue DNS server says "Hi Chrissie! Thanks for your DNS request! The IP address you wanted, for www.orange.com, is 123.31.126.221!"   But in truth, that is a webserver under the control of Evil Edna herself.   Your browser tries to make a secure connection to 123.31.126.221, thinking it is, as it has been told, the website www.orange.com.  But your browser suddenly realises that the SSL server certificate presented by the rogue site is a bogus certificate.   And the browser warns you.  At this point, many people click the "WHO CARES - CONNECT ME ANYWAY" button.   Then they type in their security login details for the site. Some login details are worth their weight in gold, for online banking websites, etc.  :o Those login details are harvested en masse by Evil Edna & Co,  and in a very short time, Edna and her friends have emptied all of their victims' bank accounts, before retiring to a life of luxury in the sunny climes of Southend-on-Sea!

Title: Re: Security Certificates
Post by: chrissie on July 09, 2012, 11:37:37 PM
Without wishing to be alarmist, a Man-In-The-Middle attack can exhibit the same symptoms.    The hacker diverts or poisons a computer's nameserver (DNS) requests. When we type "www.orange.com" into the browser, a DNS query is made automatically to a nameserver. That nameserver usually belonging to your ISP.  The browser needs to 'resolve' the IP address for www.orange.com, in much the same way we use a phonebook to find a telephone number for a named person.    However, in a Man-In-The-Middle attack, the request is redirected to a DNS server under the control of Evil Edna.  That rogue DNS server says "Hi Chrissie! Thanks for your DNS request! The IP address you wanted, for www.orange.com, is 123.31.126.221!"   But in truth, that is a webserver under the control of Evil Edna herself.   Your browser tries to make a secure connection to 123.31.126.221, thinking it is, as it has been told, the website www.orange.com.  But your browser suddenly realises that the SSL server certificate presented by the rogue site is a bogus certificate.   And the browser warns you.  At this point, many people click the "WHO CARES - CONNECT ME ANYWAY" button.   They then type in their security login details for the site. Some login details are worth their weight in gold, for online banking websites, etc.! Those login details are harvested en masse by Evil Edna & Co,  and in a very short time, Edna and her friends have emptied all of their victims bank accounts, before retiring to a life of luxury on the sunny climes of Southend-on-Sea!

Thanks for that asbo  :o  Actually I did wonder about this when I ran a Housecall scan on the desktop after Avast asked me to download the latest version of their AV.  I did it once and all ok, then the day after I logged on again and it asked me to do it again.  I thought perhaps it hadn't taken so I did it and then up came message that the Windows firewall was OFF.  It wouldn't switch on again, said internal error (or summat)....so I came off line run Malwarebytes scan and then Avast.  Still firewall wouldn't switch on.  Closed down and then next day all came back ok.  I then did a Housecall scan...it took 3 hours <scream> never that long before and it came up with a potential harmful Dialler (can't recall exactly what) and it fixed it.  Ran another Malwarebyes scan and Avast too...nowt found.  Trouble is, why would it come up on my laptop about security certificates too.  It was more the Orange on the desktop and Tesco on the laptop...all a mythstery to me but it doesn't take much with me being the original computer dummy.   :D 

This evening I then read about the DNS charger virus and summat to do with the FBI so that made me think about my computers.  I wouldn't know how to check for it and don't want to download anything I don't know about <scaredy cat moi> but am just wondering now you've mentioned DNS equation...if it could be something like that  :no: :no: :no:
Title: Re: Security Certificates
Post by: asbokid on July 10, 2012, 12:26:58 AM
I then did a Housecall scan...it took 3 hours <scream> never that long before and it came up with a potential harmful Dialler (can't recall exactly what) and it fixed it.

Hi Chrissie.

Maybe a false positive, but it does sound like the machine was infected.

Quote
Trouble is, why would it come up on my laptop about security certificates too.  It was more the Orange on the desktop and Tesco on the laptop...

If you visit the same websites using the two machines, then perhaps they both got infected from the same source.  Assuming they are infected.

Quote
This evening I then read about the DNS charger virus and summat to do with the FBI so that made me think about my computers.  I wouldn't know how to check for it and don't want to download anything I don't know about <scaredy cat moi> but am just wondering now you've mentioned DNS equation...if it could be something like that  :no: :no: :no:

That attack itself is run-of-the-mill. It's just the scale of the infection that is unusual.  It's simple to understand. The attacker plants one or more rogue IP addresses in system files on the victim's computer (/etc/hosts, /etc/resolv.conf, etc).   The  computer reads those files when it tries to resolve a website name. So when we type "www.somewebsiteplease.com" into the browser, it checks that file /etc/hosts first, and if that website is listed, it connects to the IP address recorded next to its name!  But the computer listening on that IP address belongs to Edna!

cheers, a
Title: Re: Security Certificates
Post by: kitz on July 10, 2012, 12:28:08 AM
Unfortunately Housecall does take a long time, particularly when most people these days have large hard-drives.

>> I then read about the DNS charger virus

Theres a very simple check for that just go here and it will tell you if you are ok or not
http://www.dns-ok.us/

Theres several reasons why you could get security certificate errors, the worst being the one asbo mentioned, but there are a few more things that could cause it.. such as the time and date on your PC being wrong, but its highly unlikely that both pc and lappy date would be wrong. I tend to come across it sometimes on gaming site which display 3rd party adverts. I would be very worried however if it happened at my bank website.

....  and talking of bank websites..  do you have any other protection installed other than your antivirus and firewall.   Such as trusteer rapport which many banks offer for free.    I believe that this sometimes causes conflicts and false reports, which is why Ive never used it, despite my bank trying to push it under my nose each time I log on.


>>> "do you want to receive only secure items from this site" (or words to that effect) so I click yes.

okay....  theres a reason for the above, which has just made me think of something else.    the reason you get the above message is because you are getting http content from a https web page.   This can etiher be a site misconfiguration or you are assessing https when it should be http.

When you go to orange and tesco are you using bookmarks?   What happens if you type www.tesco.com into your browser,  making sure there is no https in front of it.

Quote
Warning - while you were typing a new reply has been posted. You may wish to review your post.
Asbo posted one min before me, whilst I was typing out all the above, so Im going to leave it as is :)

Title: Re: Security Certificates
Post by: chrissie on July 10, 2012, 11:45:53 AM
Thanks for all the help.  To answer your questions Kitz:

Bank - no I don't have their security software, I use Avast and Win firewall on the desktop and Nortons on the lappy.

Re the secure items box (https or http).  It happens on the Lottery site, Yahoo mail and a few more.  I am wondering if this is due to non secure adverts on their sites which as you said is getting http content on the https page.

Orange and Tesco - the security bar message  "To protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors" comes up on both bookmarks and browser.  I have just remembered that when it happened on the Tesco site (on lappy) it only came up when I went into the payment page even though it had the https and padlock on it. 

Thank you for the link to check for the DNS changer.  It said it was ok but I've also checked my IP address on the desktop which is correct and also on the router box which matches.  However, last night on the lappy I checked my IP online and it was different to my computer IP addy which I think Norton's might have done (not sure).

I will do another Housecall later this week and run the Malwarebytes just to see if it picks up on anything.  I just wondered about Avast as it all seemed to happen when I updated the new version twice which it prompted me to do. 

Thanks again for your help.