Thursday, July 19, 2012

Security: Firefox connection to website partially encrypted and eavesdropping

What happens when an SSL Certificate has not been signed by some Intermediate CA and Apache does not include the certificate with a SSLCACertificateFile directive?

I was surprised to learn today Windows and Linux different browsers were complaining including Chrome while my OSX Chrome version (Version 22.0.1207.1 dev) was failing to do so.

Not sure if this is a Chrome vulnerability but certainly I have filled a Chrome feedback request for this issue.

In OSX Safari and Opera would fail to notice the issue and the only Browser that would complaint was Firefox with a "Your connection to this website is only partially encrypted, and does not prevent eavesdropping."

SSLLabs continues to rock as the ultimate online tool to check for your certificates and they have recently added a check (still in beta) for Certificate chain problems. So do check it out!

Do always test in all OS and all Browsers. OMG this fragmented market really ends up costing a lot of money to companies, especially those that take security seriously.

No comments: