SIDEBAR
»
S
I
D
E
B
A
R
«
Silent browser redirect on invalid certificate
Nov 15th, 2018 by miki

Hit an odd browser behaviour today.

Trawling through some of those nice and dandy terms for a service (no I won’t tell) I followed a link and suddenly hit an “insecure connection” message from Firefox.

Examining the certificate using the usual “openssl s_client” and “openssl x509” tools surely enough revealed that the served certificate didn’t include the second-level but only on the third-level www sub-domain. Strangely enough I discovered that when entering the same URL directly into the address bar of Firefox the connection was somehow redirected to the www sub-domain and loaded fine without any complaints from Firefox.

Looking into what was happening on the wire using wget directed to not check the certificate (–no-check-certificate) and displaying server responses (–server-response/-S) revealed that the server behind the misconfigured certificate was aiming to issue a HTTP 301 redirect to the valid www sub-domain of the site (actual site replaced by foo.bar and localhost ip);

$ wget –server-response –no-check-certificate –output-document=/dev/null https://foo.bar
–2018-11-15 18:59:14– https://foo.bar/
Resolving foo.bar (foo.bar)… 127.0.0.1
Connecting to foo.bar (foo.bar)|127.0.0.1|:443… connected.
WARNING: no certificate subject alternative name matches
requested host name ‘foo.bar’.
HTTP request sent, awaiting response…
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://www.foo.bar/
Date: Thu, 15 Nov 2018 17:59:13 GMT
Content-Length: 152
Location: https://www.foo.bar/ [following]

Apparently Firefox’s behaviour in this scenario differs depending on the method in which the user is supplying the URL, in some cases silently ignoring the TLS/SSL warning. A little more experimentation revealed that it was actually not the source of the URL, link followed versus one entered in address bar, that made any difference. Instead it is the presence of a trailing slash on the URL that triggers the silent suppression of the serious red flag that the second-level domain asked to be fetched is not present in the served certificate. I was fooled by the fact that when entering URLs in the address bar Firefox suggests ending the URL on a slash (‘/’) if it is not already present. Manually removing this when editing in the address bar also makes Firefox display the security warning. Alas, the link I originally followed was also missing the trailing slash and behaved as expected by throwing me into a security warning.

The whole “feature” of silently ignoring a security issue seemed very odd to me, but a bit of searching revealed that this was apparently championed by Google Chrome a couple of years ago. It is described in this servertastic post which also directs to a discussion on Twitter, with some key points replicated below, about its presence in Chrome and confirmation from a Chrome team member that the behaviour is intended.

The thread ends with a guy who had dug up the source code of the feature in Chromium (on which Chrome is based) known as “SSLCommonNameMismatchHandling” in file browser/ssl/common_name_mismatch_handler.cc (see all mentions across code base).

This has obviously also trickled down into Firefox, however, not much mention of that is to be found. Not even traces of it by some quick searches of the mozilla-central codebase. Some day I promise (really!) to dig through all source of Mozilla and hunt down the implementation, but for now I’ll revert to a bit of practical experimentation showing the behaviour in the different browsers and operating systems I happen to have access to at the moment;

  • Ubuntu 16.04
    • Firefox 62.0.3: warning, with trailing ‘/’: No warning
    • Chromium 69.0.3497.81: no warning, with trailing ‘/’: no warning
  • Windows Server 2016
    • Firefox 62.0.2: warning, with trailing ‘/’: no warning
    • Google Chrome 70.3538.102: no warning, with trailing ‘/’: no warning
    • Internet Explorer 11.2580.14393.0: warning, with trailing ‘/’: warning
  • Windows Server 2008
    • Firefox 59.0.3: warning, with trailing ‘/’: warning
    • Google Chrome 70.3538.102: no warning, with trailing ‘/’: no warning
    • Internet Explorer 11.0.9600.19080: warning, with trailing ‘/’: warning

So somewhere between 59.0.3 and 62.0.2 Firefox also implemented a policy of silently accepting invalid certificates when certain non-obvious criteria is met (is the redirect actually followed and certs checked, or is “www.” just prefixed?), but this happens only when the URL ends on a slash. Go figure…

HTC One Stagefright disable instructions
Jul 29th, 2015 by miki

Until your device is sufficiently patched against the Stagefright vulnerabilty I recommend disabling automatic MMS retrieval on any Android phones from 2.2 and up (which is hopefully all in current use) to prevent unattended triggering.

Howtos for Google and Samsung devices are here.

Below are screenshots of how to do it on HTC One M7 using the stock (HTC Sense) messaging application called “SMS”. The procedure is likely to be very similar on most HTC devices using Sense.
The UI shown is in Danish locale, the English menus will be something like SMS->Settings->Multi Media Messages (MMS)->Automatic Retrieval.

wpid-wp-1438164382994.jpeg wpid-wp-1438164394794.jpeg wpid-wp-1438164402504.jpeg

Schneier discusses details here and this seems to be the commit in CyanogenMod for the underlying problem in the media library. Check aælso the issue’s review page

Subversion on Debian ARM: commit failing with space in URL
Sep 16th, 2014 by miki

Working on a Beaglebone Black based product, running the latest Debian GNU/Linux system image (bone-debian-7.5-2014-05-14-2gb.img) from the BB HQ at beagleboard.org I just had the following strange experience.

Using Subversion I wanted to commit a change to a file made locally on the BBB. The file resided  in a working copy of a repository on which I had done the initial work on my x86_64 laptop. The working copy was checked out and updated on the BBB without any problems, but comitting I got the following error:

debian@beaglebone:~/VCAS_FR$ svn ci rc.local -m"Append to vncserver.log."
Authentication realm: <https://svn.xx.xx> Subversion Repository
Password for 'yaya': 
Sending        rc.local
Transmitting file data .svn: Commit failed (details follow):
svn: File not found: transaction '414-1', path '/trunk/BBB%20deployment/rc.local'
debian@beaglebone:~/VCAS_FR$

This failed repeatedly, and checking out a fresh new working copy exhibited the same result.

For the fun of it, because file name issues are long gone in my everyday computing life, I tried to remove the space from the directory path. And voila, unexpectedly it succeeded!

debian@beaglebone:~/VCAS_FR$ svn ci rc.local -m"Append to vncserver.log."
Authentication realm: <https://svn.xx.xx> Subversion Repository
Password for 'yaya': 
Sending        rc.local
Transmitting file data .
Committed revision 416.
debian@beaglebone:~/VCAS_FR$

Without spaces, things actually did work. Apparently there’s an issue with ARM built subversion and repositories containing spaces.

URL before

debian@beaglebone:~/VCAS_FR$ svn info | grep URL
URL: https://svn.xx.xx/trunk/BBB%20deployment
debian@beaglebone:~/VCAS_FR$

URL after

debian@beaglebone:~/VCAS_FR$ svn info | grep URL
URL: https://svn.xx.xx/trunk/BBB_deployment
debian@beaglebone:~/VCAS_FR$

Investigating a bit further narrowed down that the Debian distribution uses an old (old, old) subversion 1.6.17 release from 2009:

debian@beaglebone:~/VCAS_FR$ svn --version
svn, version 1.6.17 (r1128011)
   compiled Mar 15 2014, 21:37:31

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.apache.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

Probaly, this has been fixed since, a quick investigation in svn issue tracker revealed no open issues regarding this. I’ll look further into this later, and of course report it appropriately if this is an unknown issue.

But as you see, you can still experience basic issues on the latest and greatest stuff out there. Be wary!

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2023 Mikkel Kirkgaard Nielsen, contents CC BY-SA 4.0