Tenon Intersystems Please see text links at bottom of page for navigation
Please see text links at bottom of page for navigation

Search tenon.com

Thanks to:

WebTen
[Top] [All Lists]
<prev [Date] next> <prev [Thread] next>

Re: SSL-Security loophole?

To: webten@xxxxxxxxxxxxxxx
Subject: Re: SSL-Security loophole?
From: Mark A Bennett <mark.bennett@xxxxxxxx>
Date: Tue, 30 Jan 2001 10:24:48 +0000
Mark,

send your httpd.conf and a brief explanation to support an I will find out what is happening. As far as I know, this shouldn't be possible.

Tenon Tech Support
--eric

Dear tenon,

I hope that I can be quite clear about my problem and that it is solvable.

I have a secure domain, it has a verisign cert etc and works well (fast!) and gives me an encrypted domain.

However I find myself in EXACTLY the same situation as before:

If you delete all CA's from your browser then log into the domain you are prompted to accept the unknown cert. If you do all is well.

However..and this concerns me (and should you all), if you refuse the cert..you are then able to view the site NON-ENCRYPTED. What appears secure is in fact not. If you never fail mode test this you would never know.

OK, how do I force the server to REFUSE the connection if not secure-other servers do this as I have tried the above with them.

I know that there are apache directives to do this, how do I implement them?


Do you have a non-SSL host set up for the same domain?

No.

Or is it the default host/domain for the server?

No.

In either of those cases, non-SSL requests will be served.

I have looked at this closely. It serves non encrypted data over https.


In the virtual host for SSL is not the default for the machine,

and it doesn't have a matching non-SSL VH entry then all requests to that VH should only be SSL. Requests made with "http" should say server not responding.
--
It does! but my point is that the pages are served with https!

This is most worrying and I am keeping this from my client. I have to understand why the server is doing this? and will need your help to do so.


Please remember that in IE 5 (Mac) I delete all CA's in the security prefs and then the browser will NOT recognize the CA, it will then allow you to see the pages apparently via https.

Here is my .conf file

I have set a test area on the SSL domain as:

https://www.agave.co.uk/test/

I can give you more access if required.

Regards

Mark.

Attachment converted: Macintosh HD:httpd.conf 2 (BINA/MUMM) (000B44AB)
--
Mark Bennett
Department of Biology
Imperial College at Wye
University of London
Wye, Ashford, Kent TN25 5AH, U.K.
Tel.:  020 759 42788 (Direct line)
Fax 020 759 42640
Extension: 42788

Email: mark.bennett@xxxxxxxx

"The box said "Requires Windows 98, or better".
  "So I bought a Macintosh".

<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSRS on WebTen, Robert Vogt IV
Next by Date:  Ethernet setup for WebTen & NetTen, Terry Allen
Previous by Thread:  Re: SSL-Security loophole?, Mark A Bennett
Next by Thread:  Preferences in WebTEN, SoftballNews.com
Indexes:  [Date] [Thread] [Top] [All Lists]
| Tenon Home | Products | Order | Contact Us | About Tenon | Register | Tech Support | Resources | Press Room | Mailing Lists |

Powered By iTools

Copyright©2003 Tenon Intersystems, 232 Anacapa Street, Suite 2A, Santa Barbara, CA 93101. All rights reserved.
Questions about our website - Contact: webmaster@tenon.com.

Tenon Home Tenon Home Tenon Home Tenon Home Product Info Tenon Ordering Contact About Register Support Resources Press Mailing Lists