Archive

Archive for the ‘security’ Category

firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

July 23rd, 2014 28 comments

If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.

In about:config set

security.use_mozillapkix_verification = false

 

To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…

Update: As noted by comments, this will be not work in Firefox 33 (or later).

Categories: admin, how-to, security, time saver Tags:

windows – exporting non-exportable private key

April 5th, 2012 No comments

If you are trying to export windows certificate with private key, and windows export wizard provides no such possibility (export with private key is grayed out) because private key has been install as non-exportable (what is the default when importing, what almost nobody changes), there is a great tool mimikatz that makes this possible.

Download it from http://blog.gentilkiwi.com/mimikatz.

And follow this procedure:

  1. crypto::patchcapi (or crypto::patchcng if previous did not work)
  2. crypto::listKeys (or crypto::listCertificates) to list keys/certificates
  3. crypto::exportKeys (or crypto::exportCertificates) to export what you want

That’s all. Exported keys will be protected with password ‘mimikatz‘ – you will need to enter it when importing certificate again.

 

Categories: admin, how-to, security, time saver Tags:

Security fail (Google)

April 7th, 2010 No comments

Just a quick post about a little (and nasty) bug I’ve found in Google Docs. I’ve already contacted Google 2 months ago (11 Februar), but they seem to have better work (counting money or smth. like that) and I didn’t received any response nor the bug has not been fixed.

Description:

Anyone with invite link to some specific document stored in Google Docs, can view this document regardless of sharing properties defined. This includes also guest visitors of the document, and that means no signing-in to Google Docs service is required to access such a link and view private document.  Well maybe this is some kind of ultra easy accessibility feature, but for me it looks like a bug ;-)

Example:

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en

This document is private, shared only with one another account and i presume you can not view it, but if you use this link

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en&invite=CI-f3KoG

you can see it’s content. Not very optimal.

How-to reproduce:

  1. create document
  2. share it with someone
  3. use the invite link to feel like a hacker and view your own private document without being signed-in,

How-to abuse:

Well not so easily, you must get the invite link somehow. But, I think it is not so hard as it seems. The invite link works even after the original user has been disallowed to view the document, so something as revoking access to a Google Document to someone that already had access to is is only a pure dream.

Have a nice day

Categories: security Tags: ,