Re: [clamav-users] bugzilla security certificate

[Steve Basford]

On Wed, December 7, 2016 5:03 pm, Benny Pedersen wrote:

>> You can bypass the warning if desired.
>
> worst advise you ever have giving here

Thanks... but I didn't actually say you *should* ... but browsers do allow
you too.

In this case the firefox error box was:

bugs.clamav.net uses an invalid security certificate.
The certificate ***is only valid*** for bugzilla.clamav.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Seeing as the url is: https://bugs.clamav.net/
and the certificate is for bugzilla.clamav.net, you are given
a bit of information to help you decide if you really want to bypass the
warning.

BIG FLASHING LED'S -> not saying that you should

Plus, you have to click Advanced, Add Exception before you
even get to confirming the exception... so you have to be pretty certain
you want to do this.

Hopefully case closed ;)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Joel Esler (jesler)]

ClamAV is not the only project we run.  When you all (or we) discover an issue, 
I take that information, file a ticket with our operations team, and the issues 
are resolved as we get to them, just like any other infrastructure.  Not only 
do we run ClamAV, but we run Snort, and entire Talos infrastructure.  With the 
same ops team.  

Right now, 99% of the work with ClamAV is behind the scenes with the system 
that generates and publishes signatures.  Since we re-wrote the entire system, 
we've had a couple issues on the backend, and we've been fixing them as they 
come along.  However, we have a major issue right now with the simultaneous 
amount of signatures that we can input into the system, and we are working on 
this.  

As for the blog, it's on http.  There's nothing that needs to be encrypted 
there, its just a news outlet, and we have no need of making it http.  The blog 
is hosted on blogger.com, which does not allow https, so in order to encrypt 
the traffic, we'd have to move to a different blog infrastructure.  Something I 
have no interest in doing at this time, or in the foreseeable future.  The blog 
is for news.  It can stay unencrypted.

We'll take a look at the rest.  Lists is hosted by us, and we can fix that.  
I'll file a ticket.  I already have a ticket in for the bugzilla https issue.

Sent from my iPad

> On Dec 11, 2016, at 7:45 PM, timeless  wrote:
> 
> Reindl Harald wrote:
>> don't matter - instead of writing a mail that should have been just fixed
> 
> I'm pretty sure the author was "filing a bug report" and not in a
> position to fix it...
> 
> I'd hope that user MLs would not be particularly hostile to users
> reporting things that need to be fixed...
> 
>> it's not rocket science to deploy SSL certs which match the used hostnames,
>> at least not when it takes a few seconds to pase a vhost config and verify
>> if all the names are listed in the cert while the main question is why a
>> vhost needs that much names at all instead "THAT is the name of the
>> subdomain and THAT is the certificate for it"
> 
> Eh. Getting this stuff right isn't necessarily rocket science, but it
> often isn't as easy as one might expect.
> Split horizon dns servers come to mind. I haven't looked at forwarding
> proxies yet, but, ...
> 
> Certainly, if a server is configured to only offer a single service
> (not unreasonable), it isn't enough for it to know its own hostname,
> it also needs to know all legitimate dns records that might point to
> it.
> 
> (And the person maintaining a server/service isn't necessarily the
> person who maintains DNS.)
> 
> Actually having a script to validate this seems useful.
> 
> FWIW, to make this email more useful, it'd be nice if:
> 1. https://blog.clamav.net worked (there's currently no server
> listening on :443, so when someone goes to fix bugzilla's server, if
> they could consider issuing a blog cert and enabling it for blog,
> that'd be nice).
> Also, unlike blog:
> 2. lists.clamav.net seems to have half of a server on :443, it's
> listening, but not answering. It'd be nice if someone fixed it to
> answer.
> 
> Assuming one has a friendly ns server (i.e. what I'm going to be stuck
> doing sometime soon), one basically wants to query the name server
> using dig ANY server and then run curl -sS https://{hostname} >
> /dev/null
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[timeless]

Reindl Harald wrote:
> don't matter - instead of writing a mail that should have been just fixed

I'm pretty sure the author was "filing a bug report" and not in a
position to fix it...

I'd hope that user MLs would not be particularly hostile to users
reporting things that need to be fixed...

> it's not rocket science to deploy SSL certs which match the used hostnames,
> at least not when it takes a few seconds to pase a vhost config and verify
> if all the names are listed in the cert while the main question is why a
> vhost needs that much names at all instead "THAT is the name of the
> subdomain and THAT is the certificate for it"

Eh. Getting this stuff right isn't necessarily rocket science, but it
often isn't as easy as one might expect.
Split horizon dns servers come to mind. I haven't looked at forwarding
proxies yet, but, ...

Certainly, if a server is configured to only offer a single service
(not unreasonable), it isn't enough for it to know its own hostname,
it also needs to know all legitimate dns records that might point to
it.

(And the person maintaining a server/service isn't necessarily the
person who maintains DNS.)

Actually having a script to validate this seems useful.

FWIW, to make this email more useful, it'd be nice if:
1. https://blog.clamav.net worked (there's currently no server
listening on :443, so when someone goes to fix bugzilla's server, if
they could consider issuing a blog cert and enabling it for blog,
that'd be nice).
Also, unlike blog:
2. lists.clamav.net seems to have half of a server on :443, it's
listening, but not answering. It'd be nice if someone fixed it to
answer.

Assuming one has a friendly ns server (i.e. what I'm going to be stuck
doing sometime soon), one basically wants to query the name server
using dig ANY server and then run curl -sS https://{hostname} >
/dev/null
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Reindl Harald]

Am 12.12.2016 um 00:25 schrieb timeless:

Firefox reports:

"bugs.clamav.net uses an invalid security certificate. The certificate is
only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN"



You can bypass the warning if desired.


(FWIW, Chrome also allows this)

Benny Pedersen wrote:

worst advise you ever have giving here


I think he meant that Firefox offers to allow you to continue past the
warning (some warnings in SSL land are fatal) --
Speaking as someone who was involved in this error message.


don't matter - instead of writing a mail that should have been just fixed


Usability and Security are always tradeoffs. If a product is too
hard/painful/cumbersome to use, it doesn't matter if it's the most
secure, people will move away from it


it's not rocket science to deploy SSL certs which match the used 
hostnames, at least not when it takes a few seconds to pase a vhost 
config and verify if all the names are listed in the cert while the main 
question is why a vhost needs that much names at all instead "THAT is 
the name of the subdomain and THAT is the certificate for it"

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[timeless]

> Firefox reports:
>> "bugs.clamav.net uses an invalid security certificate. The certificate is
>> only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN"

>> You can bypass the warning if desired.

(FWIW, Chrome also allows this)

Benny Pedersen wrote:
> worst advise you ever have giving here

I think he meant that Firefox offers to allow you to continue past the
warning (some warnings in SSL land are fatal) --
Speaking as someone who was involved in this error message.

Usability and Security are always tradeoffs. If a product is too
hard/painful/cumbersome to use, it doesn't matter if it's the most
secure, people will move away from it.

FWIW, the usual reason not to just drop a domain is inbound links from
the web. If you think there are links for this domain in people's
bookmarks, documentation, printed material, etc, or if you believe
people are likely to guess the domain, then you should keep the domain
and fix the cert (either w/ SNI or SAN).

As for setting up certs, I have faith that the ClamAV folks can fix
them (one of my adventures this week will be doing some certificate
issuing internally, and I'm sure I'll be sending bugs about poor
documentation to a number of vendors...).
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Benny Pedersen]

Joel Esler (jesler) skrev den 2016-12-07 18:10:

Thanks Steve,

I’ve opened a ticket for review.


using http:// redirect to the one that works, nice :=)

simply kill that dns is the fastest solutiion
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Joel Esler (jesler)]

Thanks Steve,

I’ve opened a ticket for review.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Dec 7, 2016, at 11:42 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:

Just a quick one... in case it confuses visitors to Bugzilla...

Going to https://bugs.clamav.net/

Firefox reports:

"bugs.clamav.net uses an invalid security certificate. 
The certificate is
only valid for bugzilla.clamav.net Error code: 
SSL_ERROR_BAD_CERT_DOMAIN"

You can bypass the warning if desired.

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Reindl Harald]

Am 07.12.2016 um 17:42 schrieb Steve Basford:

Just a quick one... in case it confuses visitors to Bugzilla...

Going to https://bugs.clamav.net/

Firefox reports:

"bugs.clamav.net uses an invalid security certificate. The certificate is
only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN"

You can bypass the warning if desired


well, a bad attitude in case of security software

either:

* use a wildacrd certificate
* use the domain for which the certificate is valid (bugzilla.clamav.net)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Benny Pedersen]

Steve Basford skrev den 2016-12-07 17:42:

Just a quick one... in case it confuses visitors to Bugzilla...


+1


Going to https://bugs.clamav.net/


well spotted ssl error


Firefox reports:

"bugs.clamav.net uses an invalid security certificate. The certificate 
is
only valid for bugzilla.clamav.net Error code: 
SSL_ERROR_BAD_CERT_DOMAIN"


hopefully clamav.net knows how to make it right


You can bypass the warning if desired.


worst advise you ever have giving here
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] bugzilla security certificate

[Steve Basford]

Just a quick one... in case it confuses visitors to Bugzilla...

Going to https://bugs.clamav.net/

Firefox reports:

"bugs.clamav.net uses an invalid security certificate. The certificate is
only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN"

You can bypass the warning if desired.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml