Thread: Link to a website with a faked SSL Certificate

Hello,

I would like to  get the slides from the Postgres Open Talks 2011 Wiki
Page but if I click on the link to the slides "Migration to PostgreSQL
- preparation and methodology" Firefox warns for a suspect SSL
certificate. A collegue accepted the SSL certificate an got a trojan
virus on his windows pc.

Please check the link before more people get problems with it.

Thank you very much for your great work.

Thomas Oftring

On 09/21/2011 09:12 PM, Thomas Oftring wrote:
> Hello,
> 
> I would like to  get the slides from the Postgres Open Talks 2011 Wiki
> Page but if I click on the link to the slides "Migration to PostgreSQL
> - preparation and methodology" Firefox warns for a suspect SSL
> certificate. A collegue accepted the SSL certificate an got a trojan
> virus on his windows pc.
> 
> Please check the link before more people get problems with it.

I'm not sure what you are actually referring to - the link for that
particular presentation is not to a https site.
However the server in the url IS actually supporting HTTPS (using a self
signed cert) but I can't see a way at all how your collegue might have
gotten a trojan from that server.
Are you really sure that your collegue got infected from clicking the
link to the url http://bunsen.credativ.com/~jco/2011/migrating.pdf or is
that mostly based on the theory "the unknown cert was the only odd thing
that happened that day so it must have been that page?


Stefan

On 09/22/2011 01:40 AM, Stefan Kaltenbrunner wrote:
> I'm not sure what you are actually referring to - the link for that
> particular presentation is not to a https site.
> However the server in the url IS actually supporting HTTPS (using a self
> signed cert) but I can't see a way at all how your collegue might have
> gotten a trojan from that server.
>    

I've found several paths through that site that do kick up an SSL error 
someone might have stumbled on.  Going to 
http://bunsen.credativ.com/~jco/2011/ pulls up directory browsing, and 
I'm getting an invalid certificate error from there.  It appears to be 
coming from the image files; http://bunsen.credativ.com/icons/back.gif 
for example gives an error too, even though that isn't a HTTPS URL.

But there's no fancy scripting that could install a trojan on any part 
of the site I just inspected.  The only way I could imagine there's a 
problem is if the PDF contained malicious code, exploiting one of the 
Acrobat vulnerabilities.  I've gotten Windows systems infected via that 
route before, when someone wasn't keeping up with security updates for 
Acrobat.  I just tried this out myself on a sacrificial Windows VM, and 
I didn't see any problems with this file though.  Given that the slide 
were produced with Latex Beamer and probably generated on a UNIX-ish 
system, that seems pretty unlikely too.

-- 
Greg Smith   2ndQuadrant US    greg@2ndQuadrant.com   Baltimore, MD
PostgreSQL Training, Services, and 24x7 Support  www.2ndQuadrant.us