Recently I received a mail with the link: http://googledrive.com/host/0B0uWu3qbasSeVjNCY1Nkekx5UkU
When I opened it, it showed a phishing page to grab my user name and password but surprisingly the certificate the website provided is a legitimate google certificate. How can a phishing site provide a valid server authentication certificate from google?
OK, now I understand it. It is a hosted web page on google drive. Please see the following link for more details: https://support.google.com/drive/answer/2881970?hl=en
So the attackers hosted a page which looks exactly like google login page and the browsers could not find it because the certificate is a valid google drive certificate.
Related
I have moved a client website across to a subdomain of my companies website for development.
The client website has a working SSL certificate. Successfully redirects to https:// - everything works like a charm.
I have straight copied the code to the development folder and gone to load the page and receive the error:
This site can’t provide a secure connection
Site sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
I go to the security tab within Chrome and can see the certificate is valid and trusted. The resources are all served securely. However I am unable to access the site as 'This page is not secure.':
This page is not secure.
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by unknown name.
Resources - all served securely
All resources on this page are served securely.
As this is only a development site I am happy for it to not be secure - so long as the live site stays secure and my clients are able to view the development site.
I am using ADAL.js for log-in to Azure. But getting this weird popup, in which I have to explicitly select Continue to Website. How could I avoid this?
How could I avoid this?
This popup typically means the site certificate isn't trusted by your client. Verify that the site's certificate was issued by a trusted issuer. If yes, download and copy the public portion of the cert (.cer) from the site and import into your local machine account's trusted store and that should hopefully resolve your issue.
I'm writing a client in NodeJS that is meant to replace using a website, and it isn't my website. It uses Facebook to log in. Is it possible to log in via a Facebook username/password? It seems modules like passport-facebook are intended for use with a website that you own, which is not the case in my scenario.
I suspect that I can't login with a username and password, so I'd have to sniff web traffic of me browsing the normal website for my token for the website, and then somehow use that in Node, but I hope this isn't the case.
Thanks for your help.
Example, I go to the facebook webpage and see that the http URL is not https. Maybe they are hiding that it is https. I don't see a lock either on the browser.
In any case, how do websites provide secure registration web pages? I'm looking to create a registration and user login page.
Thanks for your help!
SP
your hosting server should provide SSL services
You should purchase a SSL certificate from VeriSign, or generate a one using OpenSSL
Apply the SSL certificate to your web server
Create youe Login page normal as you do with your scripting language
access the page with https://domain.com/page.php
You provide secure registration with SSL. If you do a google search for HTTPS or SSL you will find resources. It is a bit of a large topic. How to go about it depends if you are running your own server or have hosting provided to you by a service. EIther way, you will need a certificate for your domain. If you have your own server you will need to do a lot more configuration.
Here is a link about how to go about it with Apache.
Currently customers have sites on my domain like https://customername.myapp.com. I'd like for them to be able to upload an SSL cert and then access my site via https://myappname.customername.com - how would one go about doing this programmatically in .NET/IIS 7?
bump
So I might have an answer for you but it doesn't necessarily involve .NET/IIS 7.
I'm not quite sure what the end goal is here, but I'll take a stab at it. It sounds like you want customers to go customername.myappname.com and have it show myappname.customername.com's content? You don't simply want to redirect them? Do you have a trusted SSL certificate for myapp.com? If you do, then there's a way you can extend that trust to the myappname.customername.com websites.
Assuming your customers don't want to have to pay for SSL certificates for their websites, you could have them generate self-signed certificates (or create your own CA and sign their certificates) and upload them to your website. Then, using a combination of JavaScript and Flash you could do cross-domain requests from your website to theirs over SSL.
The way this would work:
A customer would go to your website myapp.com. From there (or from customername.myapp.com if you have a wildcard SSL certificate), they could login or just click on their name. Doing so would load a page with a JavaScript implementation of SSL, Flash swf, and the SSL certificate associated with that customer. Then the JavaScript SSL would do cross-domain ajax requests to the customer's site and show their content on myapp.com. This would enable a secure connection to their website via your website.
There's another bit of complexity that you might not be able to support in your use case, however. You need your customer's websites to be able to serve an XML file that contains a Flash cross-domain policy. This policy would specifically grant your site access to theirs.
The JavaScript TLS (SSL) and Flash you would host on your website are part of an opensource project called Forge. This blog post explains how it works in further detail and provides a link to Forge on github:
http://blog.digitalbazaar.com/2010/07/20/javascript-tls-1/
Most of this stuff is done using client-side JavaScript, but you'd use .NET/IIS 7 to provide your customers with the page to upload their SSL certificate.