The twelve (or so) hints of Christmas.
Published: 2008-12-18,
Last Updated: 2008-12-19 21:46:09 UTC
by Mark Hofman (Version: 1)

It is that time of the year again when people rush out and buy computers, although in the current economic climate this may be a bit less than usual. Brent (thanks), suggested that maybe we could do a list of things you should be doing to help protect that family member who is about to receive their new online toy.

So here is a list of things to do (thanks Swa) before you hand the machine over to your friend, family member, distant relative neighbour, or friendly stranger.

http://isc.sans.org/diary.html?storyid=5521&rss

David H

They forgot the "don't connect to the Internet until you've done all the security steps" part.

They forgot the "don't connect to the Internet until you've done all the security steps" part.

And even after that, it's possible to get bit. Go here: mysearsrebate.com and watch what happens. Then go to www.mysearsrebate.com

How many people would just blow past the warning, or at least the one IE puts up? The leading www part has about become redundant don't ch' know. And that's how I got to the scam site this morning, by leaving it off on the first go.

- Jeff

And even after that, it's possible to get bit. Go here: mysearsrebate.com and watch what happens. Then go to www.mysearsrebate.com How many people would just blow past the warning, or at least the one IE puts up? The leading www part has about become redundant don't ch' know. And that's how I got to the scam site this morning, by leaving it off on the first go.On Firefox, I get a big "this has a bad security certificate" warning.

And that's how I got to the scam site this morning, by leaving it off on the first go

mysearsrebate.com is not a scam site. What you saw is the miserable user interface that web security as it is practiced has nowadays and quite a bit of sloppiness by the web site administrator in setting up the web site.

mysearsrebate.com and www.mysearsrebate.com are the same site on the same web server. Both names translate to the same ip address, and the web server responds the same to URLs using either name.

The problem is that the people who set up the standards for SSL did not really take this situation into account. A web server using SSL has a "certificate" that contains information that includes the host name of the web server. The certificate is digitally signed by the issuing certificate authority from whom the owner of the web site purchased the certificate. Your browser verifies that that 1) the certificate is signed by one of the recognized certificate authorities, and 2) the host name in the certificate matches the host name in the URL.

Here is the type of fraud that checking for (1) and (2) prevents: Scammer buys domain my5earsrebate.com and sets up a hoax website. (1) prevents them from setting up a certificate for their web site that says "mysearsrebate.com" because they can't convince a recognized certificate authority to give them one and your browser won't accept a certificate that they make themselves; (2) prevents them from getting a certificate for my5earsrebate.com or www.my5earsrebate.com and then using a DNS spoof attack to hijack browsers accessing the real www.mysearsrebate.com URL into ending up at their web site.

If they were able to do such a spoof, you would go to www.mysearsrebate.com and get the warning that you saw, but it would say that the host name www.mysearsrebate.com does not match the certificate name www.my5earsrebate.com.

You can see how that warning would raise alarm bells and would be useful.

Unfortunately, DNS spoof attacks are extremely difficult and very rare. It would be much more likely that the scammer would trick you into clicking on a link for www.my5earsrebate.com without you noticing the slight error, and it would go to their www.my5earsrebate.com that has a valid www.my5earsrebate.com certificate and you would get no warning at all.

What the warning does do is give you a scary dialog in the more common and legitimate circumstance that the web admin has made www.mysearsrebate.com and mysearsrebate.com be the same because there is no reason for people to type 'www.' all the time.

This is laziness or sloppiness on the part of the web admin. They could easily make http://mysearsrebate.com immediately redirect to https://www.mysearsrebate.com instead of what it now does, redirect to https://mysearsrebate.com which gives you the scary warning. Or they could spend just a little bit of money compared to their existing expenses of running a web site (something like one or two hundred dollars a year more, I think - a ripoff price but chump changefor a company) for a "wildcard" certificate that can be used with any *.mysearsrebate.com host name.

The worst thing about this is that it either scares users when they don't have to be, or trains them to ignore scary warnings that are similar to scary warnings that really do indicate problems.

By the way, the way I can tell that mysearsrebate.com is legitimate is by checking the certificate on the site (clicking on the lock icon in the browser outside of the web page itself, or selecting the option to view the certificate when you get the scary warning) and on the www.mysearsrebate.com site and verifying that both have the same information including the "fingerprint" field. That shows that whoever is running mysearsrebate.com does have physical possession of a copy of the certificate that is used by www.mysearsrebate.com, which is as good verification as you are going to get with SSL.

Thank you Sidney Sir! I've read your explanation three times and about it I have to say this:

Sears is not a small company, I have never had that response to a missing leading www happen before, and you are seeing something I can't see.

"By the way, the way I can tell that mysearsrebate.com is legitimate is by checking the certificate on the site (clicking on the lock icon in the browser outside of the web page itself, or selecting the option to view the certificate when you get the scary warning)"

When the warning comes up I get no lock icon and no opportunity to view the certificate that it's talking about. That could be my IE 7 in full block mode.

Now that I've actually registered and thereby have access would you mind if I forwarded your comments to them? Someone should be spanked.

- Jeff

Sears is not a small company, I have never had that response to a missing leading www happen before, and you are seeing something I can't see.

If you were in the habit of typing https://example.com instead of http://example.com for a site that uses https://www.example.com then you would see it more often. But when a site redirects you from a http URL to their secure https URL there is no excuse for them to set up http://example.com to redirect to https://example.com instead of redirecting to https://www.example.com if the latter is what their certificate requires you to use. This really is sloppy setup by Sears.

When the warning comes up I get no lock icon and no opportunity to view the certificate that it's talking about. That could be my IE 7 in full block mode.

I don't use IE so I don't know how to see the certificate in it. I'm sure there is a way and that it is too obscure to expect someone to know about it without explicit instructions. The poor quality of the security user interface extends to all the browsers as well as most web sites, and I'm not praising Firefox as an example of how it should be done. On the other hand, Firefox is quite a bit more secure than IE and switching to it is one way to avoid problems.

Now that I've actually registered and thereby have access would you mind if I forwarded your comments to them? Someone should be spanked.

No problem. To be really simple and explicit: They can solve the bulk of the problem for their users if they have http://mysearsrebate.com redirect to https://www.mysearsrebate.com instead of redirecting to https://mysearsrebate.com as it now does.

-- sidney

Thankee again, Sir. But you give me way too much credit. Not only do I no longer type www, I can't remember the last time I typed http anything. First I stopped the latter, and then the former. And any day now AI will keep me from typing anything at all.

The Sears webmaster is going to be spanked, although it does appear that the rebate site is new since the first of last month. That's no excuse, though.

- Jeff