Got to love the AU government's stance on security

[gnif]

Ok, I find this extremely funny...

Have a quick read over this...
http://www.oaic.gov.au/news-and-events/news/privacy-news/recent-online-security-incidents

And then go here...
https://www.oaic.gov.au/

 

[sunnyhighway]

Whooa, this is wrong in so many ways I don't even know where to start. 

But at least AllowNoPassword is set to false

I guess doing one thing right can make up for a dozen or so wrongs.

[HackedFridgeMagnet]

well the protocol is right.

What is it a honey trap? or they cant configure a webserver.

[jeremy]

Wrong certificate used. Looks like a self-signed one that they used for phpMyAdmin access (hey everyone! they are using PHP and MySQL!) and it got dropped onto the root configuration.

[miguelvp]

Cheap asses

ERR_CERT_AUTHORITY_INVALID

You'll think they can afford at least $500 per domain per year, or go nuts and get the full deal for $2000, or low bid it and get a standard SSL certificate for $200 and extended validation for $300/year or $500 for 25 subdomains.

And if they commit to 3 years then it gets way cheaper.

But it's so common that all those SSL errors get ignored, not just a valid CA, but dated in the future or expired even if it's self-signed. 

Plus using PHP and MySQL, depending how lazy their web developers where, I bet there are many SQLinjectable pages in there.

I'm so glad I never worked on the server side of things, but from the client side of things it's unbelievable to see how many holes there are on servers just to save a few dollars.

[gnif]

Cheap asses

ERR_CERT_AUTHORITY_INVALID

You'll think they can afford at least $500 per domain per year, or go nuts and get the full deal for $2000, or low bid it and get a standard SSL certificate for $200 and extended validation for $300/year or $500 for 25 subdomains.

And if they commit to 3 years then it gets way cheaper.

But it's so common that all those SSL errors get ignored, not just a valid CA, but dated in the future or expired even if it's self-signed. 

Plus using PHP and MySQL, depending how lazy their web developers where, I bet there are many SQLinjectable pages in there.

I'm so glad I never worked on the server side of things, but from the client side of things it's unbelievable to see how many holes there are on servers just to save a few dollars.

I have often used a self signed CA to provide some level of encryption to a backend/database interface, and I sign it with my own CA which is installed on my local PC as a trusted root authority, so the protection is just as good as if I purchased the cert. The issue here is not the SSL cert, it is that they have exposed their database via PHPMyAdmin to the world, and all you have to do is hit the secure website to find it.

[miguelvp]

Unless someone hijacks the DNS table and redirects you to a proxy and performs a man in the middle attack.

If it has customer data or anything important, you are better off paying the CA fee.

But yeah, that's the least of their problems.

[gnif]

Unless someone hijacks the DNS table and redirects you to a proxy and performs a man in the middle attack.

If it has customer data or anything important, you are better off paying the CA fee.

But yeah, that's the least of their problems.

MITM attack wont work if I am signing it with my own CA... there is a chain of trust there. But yes, for anything serious a real cert is always used, but server to server comms, or backends for development, etc... signed with my own CA is enough provided that I never let my CA's private key out into the wild. (IE, look at how puppet works)