Security Exceptions for Invalid Certificates are Risky

May 18, 2013 at 16:45:51
Specs: Windows 7, AMD FX 4100 | 8GB Ram
Why...Oh Why...should we need to consider making security exceptions in our browser when we encounter an error code that reports an invalid certificate...when it's quite possible that it is a maintenance issue with the website itself...hence the error code denoting an invalid certificate!

Should we automatically assume that every single website address is up to par in this regard?...

I think NOT!

Sometimes we have to resolve ourselves to the fact that if a website renders such an error, it is because there is an inherent flaw with their current security protocols...and therefore we should be extra careful and in fact, maybe even stay away from the site for now...until, that is, the website owner has addressed the problem.

No sense in creating further security risk by insisting on visiting the site without first at least finding out why the problem is occurring and also what the site owner is saying and doing about the error.

All the top browsers are far more advanced than they used to be...and so long as the browsers are up to date, as well as your computer security software and properly configured, then chances are good that it is a website problem that should not be obfuscated by the average end-user by making a security exception (UNLESS YOU ARE AN EXPERT AND KNOW EXACTLY WHAT YOU ARE DOING)...otherwise you just create a security risk that you may later regret...

It is important to understand the functionality and features of the web browser you use.

Enabling some web browser features may lower security. Often, vendors will enable features by default to improve the computing experience, but these features may end up increasing the risk to the computer.

Attackers focus on exploiting client-side systems (your computer) through various vulnerabilities. They use these vulnerabilities to take control of your computer, steal your information, destroy your files, and use your computer to attack other computers. A low-cost way attackers do this is by exploiting vulnerabilities in web browsers. An attacker can create a malicious web page that will install Trojan software or spyware that will steal your information.

Additional information about spyware is available in the following document:

Rather than actively targeting and attacking vulnerable systems, a malicious web site can passively compromise systems as the site is visited. A malicious HTML document can also be emailed to victims. In these cases, the act of opening the email or attachment can compromise the system.

Some software features that provide functionality to a web browser, such as ActiveX, Java, Scripting (JavaScript, VBScript, etc), may also introduce vulnerabilities to the computer system. These may stem from poor implementation, poor design, or an insecure configuration. For these reasons, you should understand which browsers support which features and the risks they could introduce. Some web browsers permit you to fully disable the use of these technologies, while others may permit you to enable features on a per-site basis.

Understanding what different features do will help you understand how they affect your web browser's functionality and the security of your computer.

The above information was excerpted from a historic document first released in 2006 and last updated in 2008 on the following webpage:

See More: Security Exceptions for Invalid Certificates are Risky

Report •

September 9, 2013 at 05:18:00
Certificates and SSL is very vulnerable, a lot of sites do not implement them properly, Moxie Marlinspike had several good presentations at various security conferences on this topic.
After all, I agree with Bruce Schneier - it is a matter of trust - as you trust the taxi driver to get you from hotel to airport (and not to rob you) :)
And for ordinary end users I recommend - removing Java, running NoScript, keeping Adobe and other soft up-to-date, using updated Antivirus.
If you suspect any infection - do a system restore asap (as current viruses download and pull from the Internet more and more other malware with time) and then scan and clean your PC with something like Combofix or Malwarebytes.

Report •
Related Solutions

Ask Question