|
View previous topic ::
View next topic
|
| Author |
Message |
 Wurst
Captain
Joined: Apr 13, 2006
Member#: 1782
Posts: 1542
Location: Germany
   
|
 Posted:
Wed Oct 21, 2009 6:45 am Post subject: |
 
|
| Metalheadbrewer wrote: |
| Cool, thanks Digi. I only use Firefox anyway but it is good to know. |
Yes becuase its another pro argument for firefox! |
|
 |
 AntarcticaZombie
Lieutenant Junior Grade
Joined: Jul 18, 2010
Member#: 11055
Posts: 76
Location: Satantonio, Texas
 
|
|
Posted:
Tue Jul 20, 2010 9:11 pm Post subject: |
|
I don't buy thing on the internets, I think I'm safe
_________________
 |
|
|
|
 Basher 
Vice Admiral (Moderator)
Joined: Feb 19, 2010
Member#: 10128
Posts: 3654
Location: Ebil domain
 |
|
Posted:
Wed Jul 21, 2010 1:36 am Post subject: |
|
i don't use paypal... anyways
_________________
i am so ebil that i piss darkness |
|
|
|
 DOSphantom
Commander
Joined: Aug 27, 2007
Member#: 3904
Posts: 785
Location: WA, USA
 |
|
Posted:
Tue Nov 23, 2010 3:31 am Post subject: |
|
Wait... what? How does the parser choke-out on a C-string null terminator? It has the true string size, so... yeah.
Crypto is a decrepit API from the mid-nineties and probably should be avoided in these security sensitive applications(and CNG is probably the same thing except with new features).
Anyway, to note: Pay Pal is a dirty, thieving company.
_________________
I have come here to chew bubblegum and kick ass... and I'm all out of bubblegum. |
|
|
|
 diginferno
Admiral (Administrator)
Joined: Apr 11, 2006
Member#: 1771
Posts: 3153
Location: Bucharest, Romania
  |
|
Posted:
Tue Nov 23, 2010 6:28 am Post subject: |
|
| DOSphantom wrote: |
Crypto is a decrepit API from the mid-nineties and probably should be avoided in these security sensitive applications |
Off-topic: our sysadmin told me that he saw logs in which Windows 7 identified itself as Windows NT 4. Dare to contemplate the implications? My Windows 2000 says it's Windows NT 5...
_________________
diginferno
.:: Death.FM Administrator ::.
.::  ::. |
|
|
|
Basher
Vice Admiral (Moderator)
Joined: Feb 19, 2010
Member#: 10128
Posts: 3654
Location: Ebil domain
|
|
Posted:
Thu Nov 25, 2010 3:32 am Post subject: |
|
well all 7's i have used returns to version question nt 6.1 ... ie 8 and 9 in pages that require 32 bit strings might give any nt version under nt 7....
windows nt versions
win nt 4 and below are sold as nt's
nt 5.0 = win 2000
nt 5.1 = win xp; win 2003 srv;win xp extended (X64); XP flp
nt 6.0 = win vista;win 2008 srv
nt 6.1 = win 7
_________________
i am so ebil that i piss darkness |
|
|
|
 tr1sth3t
Lieutenant Commander
Joined: Feb 27, 2007
Member#: 3130
Posts: 279
Location: Bergen
 |
|
Posted:
Wed Feb 23, 2011 9:39 am Post subject: Re: IE, Chrome and Safari vulnerable to fake PayPal certificate |
|
| diginferno wrote: |
| Users of non-Microsoft operating systems do not seem to be affected. |
 That's funny...
Quickest way to get rid of Windows: http://www.wubi-installer.org/
_________________
It is more likely that a brain randomly forms out of the chaos with false memories of its life than that the universe around us would have billions of self-aware brains. |
|
|
|
Basher
Vice Admiral (Moderator)
Joined: Feb 19, 2010
Member#: 10128
Posts: 3654
Location: Ebil domain
|
|
Posted:
Fri Feb 25, 2011 5:35 pm Post subject: |
|
hmm easiest way to prevent this kind of thing, is just pull the plug out of the computer and pay with cash , i heard that some pay sites might be also be problematic with mac os and some linux platforms
_________________
i am so ebil that i piss darkness |
|
|
|
diginferno
Admiral (Administrator)
Joined: Apr 11, 2006
Member#: 1771
Posts: 3153
Location: Bucharest, Romania
|
|
Posted:
Fri Feb 25, 2011 6:15 pm Post subject: |
|
| Basher wrote: |
| hmm easiest way to prevent this kind of thing, is just pull the plug out of the computer and pay with cash , i heard that some pay sites might be also be problematic with mac os and some linux platforms |
The issue that prompted this topic was strictly related to the Win32 cryptography libraries that are involved in dealing with SSL certificates. That's why browsers that did NOT rely on the Windows API were not vulnerable - Firefox uses its own crypto library. If I'm not mistaken, the bug in question was allowing forged certificates to pass validation because it did not check the domain that served the certificate against the domain for which the certificate was issued.
Yes, there may still be problems with some websites and there may be problems with other platforms, but I'm afraid that they are not related to this specific bug. Also, the topic is old, I didn't follow the evolution of this problem because I use Firefox, but I assume that it was fixed by some Windows update.
Last but not least: what good is a SSL certificate if the user clicks on "Allow" or "Yes" without even reading the warning mesage? I guess that you've heard of the Java exploits last year, all of those exploits required the user to grant permission to the application to run. If we find an answer to the question "why do the users trust applications that pop in their faces out of the blue?", then we can solve a lot of the malware problems around.
_________________
diginferno
.:: Death.FM Administrator ::.
.:: ::. |
|
|
|
HeadlessBeast
Lieutenant
Joined: Sep 14, 2009
Member#: 8829
Posts: 110
Location: Lake Havasu City, Arizona
|
|
Posted:
Sat Apr 23, 2011 5:02 pm Post subject: |
|
This could save my ass for the future. Thanks.
_________________
\,,/ Black Metal \,,/ |
|
|
|
Basher
Vice Admiral (Moderator)
Joined: Feb 19, 2010
Member#: 10128
Posts: 3654
Location: Ebil domain
|
|
Posted:
Sun Apr 24, 2011 1:30 am Post subject: |
|
| diginferno wrote: |
| Basher wrote: |
| hmm easiest way to prevent this kind of thing, is just pull the plug out of the computer and pay with cash , i heard that some pay sites might be also be problematic with mac os and some linux platforms |
The issue that prompted this topic was strictly related to the Win32 cryptography libraries that are involved in dealing with SSL certificates. That's why browsers that did NOT rely on the Windows API were not vulnerable - Firefox uses its own crypto library. If I'm not mistaken, the bug in question was allowing forged certificates to pass validation because it did not check the domain that served the certificate against the domain for which the certificate was issued.
Yes, there may still be problems with some websites and there may be problems with other platforms, but I'm afraid that they are not related to this specific bug. Also, the topic is old, I didn't follow the evolution of this problem because I use Firefox, but I assume that it was fixed by some Windows update.
Last but not least: what good is a SSL certificate if the user clicks on "Allow" or "Yes" without even reading the warning mesage? I guess that you've heard of the Java exploits last year, all of those exploits required the user to grant permission to the application to run. If we find an answer to the question "why do the users trust applications that pop in their faces out of the blue?", then we can solve a lot of the malware problems around. |
i read from one technical-nerdy magazine that around 99,7% of computer infections are installations made by users, by "blindly klicking yes and i agree" on every popup and dialog. In that test they added to a popup dialog to northern countries magazine sites, and the popup sayd that "by klicking yes i will install arczdx.exe trojan virus to your pc, and by agreeing our terms you will accept the terms found....", it was written in the native language of the browser. Generally from 10 000 users around 9 400 actually klicked yes...  |
|
|
|
diginferno
Admiral (Administrator)
Joined: Apr 11, 2006
Member#: 1771
Posts: 3153
Location: Bucharest, Romania
|
|
Posted:
Sun Apr 24, 2011 1:03 pm Post subject: |
|
Many people don't know what "trojan" means in an IT context. They are non-technical users who don't care what the name of an .exe file is because it doesn't make any sense to them.
Also, reading license agreements, bah, are you out of your fucking mind? That's not the user's fault, though. Those license & user agreements are written in legalese and I must admit that I also fail to parse them correctly because they don't make sense to ME.
_________________
diginferno
.:: Death.FM Administrator ::.
.:: ::. |
|
|
|
|
|
