Compare cert salaries and plan your next career move
exampasser wrote: » Thanks, that worked. I wasn't expecting that there would be a simple solution with IE.
keatron wrote: » Do know that disabling this makes you VERY open to Man-in-the-middle attacks without you knowing it's going on. If someone is able to arp spoof you and successfully divert traffic between you and whatever ssl server you're communicating with to them, then they'll most likely establish an ssl sessions between them and the server and another ssl session between them and you. Before attack: YOU>>>>>>>>>Server After attack YOU>>>>>>>Attacker>>>>>>>Server. One classic way to know this is happening when ssl is in use is the self signed cert message popping up. To make this work and be able to see your encrypted traffic, they'll have to forge a fake copy of the real web servers certificate. The only way to do this is to self sign it. So instead of verisign or another trusted CA signing it, the attacker will. This would cause you to get the popup message that complains about it being self signed. Except you just disabled it. Sounds like a lot of the websites you're visiting uses self signed certs. But what if someone MiTM you and your bank who most likely DOES NOT use self signed certs? You know this because you don't get those popups there right? Well now you'd never know. Just wanted to inform. But you know your annoyance vs security threshold better than anyone!
Daniel333 wrote: » Can you create a hosts file entry with the correct DNS information pointing the IP address of the site? Might be better than disabling IE's security. IE has got enough problems.
it_consultant wrote: » Thank you Robert, I was going to point out the extreme difficulty of pulling this off. I ran across a paper a while ago that surmised that a foreign government could fake a popular website (gmail, banks, etc) and exploit the sheer number of certs that IE will accept by simply buying the same cert that was issued to say, Bank of America, from a different cert provider. They could then target your computer by giving you false dns replies to send you to their fabricated website. This website will have to be so good that you don't realize that its not truly gmail or whatever. Then, you would put your username and password in and using SSL strip (with a hardware device surreptitiously placed in line with your network) they could crack your password and see all your traffic. The logistics of something like this is outrageous considering its way easier to crack a password by correctly guessing the challenge questions for a password reset.
RobertKaucher wrote: » You guys understand that in this instance, when one single certificate has been added to the ignore list, the increased security risk is so small it is insignificant?
colemic wrote: » It's not a ignore/exceptions list, it's a checkbox to either warn about certificate mismatch or don't warn about certificate mismatch. Whether the risk is small or not, depends largely on your circumstances - in this case, he mitigates the risk by virtue of being a small workplace server, and only using IE for this purpose. If it was his everyday workhorse browser, it would be a significant risk.
RobertKaucher wrote: » Sorry guys. I consider myself schooled. I was confusing IE with FF and it's exception list. Regardless, you should only have to import the cert in IE for it to work and not force IE to allow you to get 0wned. Rep to all who corrected me.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
