1. Welcome to VegasMessageBoard
    It appears you are visiting our community as a guest.
    In order to view full-size images, participate in discussions, vote in polls, etc, you will need to Log in or Register.

Question for the computer experts? https with slash

Discussion in 'Non-Vegas Chat' started by Joe, Sep 27, 2013.

Thread Status:
Not open for further replies.
  1. Joe

    Joe VIP Whale

    Joined:
    Sep 11, 2009
    Messages:
    11,332
    Location:
    Wisconsin
    Trips to Las Vegas:
    175
    I visit a site regularly and they said they are merging with another company. Today when I went there the site address has a red slash through the https and also a red X on the View site info logo.

    I went to the view site information tab, but it's all in computer speak. It didn't say get out of here as fast as you can.:evillaugh

    What do both mean?
     
    Christmas
    My wife's birthday
  2. shifter

    shifter Degenerate Gambler

    Joined:
    Sep 15, 2010
    Messages:
    10,096
    Location:
    At the tables
    Trips to Las Vegas:
    30
    the way https works is that the site has an SSL certificate that works with your browser to encrypt the data sent back and forth. the slash just means that the browser doesn't recognize the cert as being "signed" by a known authority. anybody can create an SSL certificate and it works just fine. but in order to be recognized you have to submit it to a company like VeriSign or Thawte, etc and you pay them an exorbitant fee and they sign it. supposedly they are "verifying" that you're a legit company, but all they do is check that you have some easy-to-obtain business paperwork, so it means very little.

    the signing also doesn't change the function of the certificate at all. the cert works fine unsigned. and then to make it even better, you have to pay them to "renew" this signing every year even though nothing has changed. so really, to me, the signing this is really just a scam to get companies to fork over big money to them.

    the truth is that even unsigned and/or expired certs work just fine for encrypting the data, which is the entire point. but the browser creators are often the same companies that do the signing, so they've come up with this ingenious way to scare people away from sites that have unsigned and/or expired certs. throw a big red X up there and people go away. so anybody who wants to run an https site knows that and is forced to pay for the signing.

    the only risk you have with going to a site with an unsigned cert is that the site itself may be malicious. but since you know this site already, you have nothing to worry about.

    it's likely in this case that their cert either expired or they moved the site to the new company's servers and the cert wasn't reinstalled properly, etc.
     
  3. Sonya

    Sonya Queen of VMB

    Joined:
    Nov 28, 1999
    Messages:
    21,851
    Location:
    Western Washington
    Trips to Las Vegas:
    18
    Yeah, what shifter said. :) It's probably part of the conversion and will clear up in a few days.
     
  4. sandman748

    sandman748 Low-Roller

    Joined:
    Sep 12, 2012
    Messages:
    234
    Trips to Las Vegas:
    6
    this isn't meant to be argumentative and what shifter said is mostly true but thousands of people have information stolen every day because of ignoring errors like this.

    Certs actually don't do the encryption. They are used for identity and details of what type of encryption is used. Similar to drivers licence that has details as to your identity (which we assume is valid information, as it came from the government, whom we trust)

    When a cert error comes up like that, it means that nobody has verified that the cert is valid. Any major company that does any kind of financial transactions must have a valid cert as per several regulations. While there are situations where a cert may expire and the site is still valid, any legitimate site should have a valid cert.

    I wouldn't provide any username, password, and especially personal or financial data into a site without a valid certificate. Even if it's a site you regularly visit.

    As an example as how this can be used to steal your data. I could easily log onto my neighbors wireless router, change his DNS servers to point to a DNS server of my choice that contains fake websites in place of real ones. So when he goes to www.citibank.com, it would actually go to a site of my choosing, that could look exactly like the real thing. The only difference is that it would be near impossible for me to serve up a valid certificate to his PC and he would get the error you are getting. If he ignores the error, I now have all of his online banking credentials.
     
  5. Mitkraft

    Mitkraft High-Roller

    Joined:
    Jul 6, 2012
    Messages:
    772
    Location:
    Houston, TX
    Trips to Las Vegas:
    12
    To add further details and possibly explain why you are getting this error after the merge/move of this companies site: one of the points of this cert is to assure that the website you are going to matches the name on the cert. If a website was hijacked for example and re-routed through untrusted servers and the name and IP address don't match the cert then you will get this error. My credit union has this problem if you go to their website without using "www" before the web address. Most every site will resolve just fine without www however their cert lists their address www.mycreditunion.com. If you go to mycreditunion.com instead you will get an error saying the cert is invalid. In your case most likely the server specifics have changed and no longer match the address on their cert.

    As sandman said there can be risk in using your credentials when a site is in this state, but if you can verify the reason for it and know for sure you are going to the right place then you can be reasonably safe.

    To clarify the risk though, if someone were to setup a near-miss dummy domain that looked like my credit union. Say they set it up at mycreditunions.com I might go there and unknowingly give them my information because when I saw the certificate error (due to them having self generated their certificate) I would ignore it thinking it was normal but not realizing I went to mycreditunions.com instead of mycreditunion.com.

    As others have said, the site is still secure and encrypted even with a self generated certificate but you can't be 100% certain they are who they say they are.
     
  6. Kape

    Kape Tourist

    Joined:
    Feb 4, 2011
    Messages:
    47
    Location:
    Canada
    Trips to Las Vegas:
    11
    I have to second this, I wouldn't give out any information on a site that the cert isn't verified. Along with the attack described in this post you can also do a man in the middle attack with a tool called Cain and Able that allows you to intercept traffic where the attacker provides an unsigned cert and continues to forward the traffic on to the requested site. The user continues to see the site they expect and interact with it but the man in the middle can view all the traffic, including usernames and passwords. The only way this works is if the user clicks past the warning in the browsers that says 'There is a problem with this website's security certificate.' ' We recommend that you close this webpage and do not continue to this website.' Unless you are 100% certain of the identity of the site do not proceed. It is true that the traffic to a site with an expired or unverified cert is still encrypted you just never know if its a case of the admins forgot to renew the cert or is there a man in the middle attack going on.
     
Thread Status:
Not open for further replies.