Friday, April 1, 2016

Browser - Comodo RSA Certificate - BVP.com

On Linkedin there was a trending in Computer and Network Security Update about a Forbes blog post about an index of the largest security companies.


I went to Forbes and there was a link to the index.


I clicked on the link using Safari and got a certificate warning.



Tried Opera, got a warning.



Tried Chrome, got a warning.



Tried Authentic8 Silo, it went to the page, but then it is a virtualized browser so there is very little risk. Tried Firefox, it loaded the page with no warning. Risk is unknown. I tried using Google to find out if Comodo has been hacked. The best data I could find was here. This takes us back to the Trusting Trust problem. I can do Keychain First Aid, I can explicitly trust, but does that set me up for problems by a malware web site? So, I asked Sandra Dunn, she knows as much about certificates as anyone I know.
= = =

Sandy,

I am pretty sure I know how to get Comodo trusted by my Mac, but I do not know how to tell if I should. Any insights you have would be appreciated.
http://securitywa.blogspot.com/2016/04/browser-comodo-rsa-certificate.html

Thank you,

Stephen Northcutt

= = =
Sandy replied, it works on Windows, (I hate it when that happens, after I finish this blogpost I need to do a search and destroy of quicktime on my Win 10 box). By the way, Sandy is quoted/credited with permission.
= = =

Mr. Northcutt

https://www.bvp.com is working in both Chrome and IE for me on Windows

But running a TLS scan shows there are multiple issues and an F grade.  I don’t have a MAC but I am going to check in a Linux system and see if I get a warning.

Best,


Sandy Dunn


= = =
So we have a stock index that claims to 2X outperform S&P and Dow Jones and trusting the certificate that proves they are who they claim to be is doubtful. Can anyone see the opportunity for mischief? Sandy did further investigation and wrote back.
= = =

Mr. Northcutt

The www.BVP.com certificate isn’t in good shape but I couldn’t figure out why I wasn’t being blocked from the site as you were.  I tested www.bvp.com in Iceweasel and then I received the same error you saw.   I saw that it was a chain issue and a call to a technical friend put the final pieces together.  Windows has the Comodo Intermediary CA in the Intermediary root store.  Iceweasel and apparently the browsers you were trying don’t have it either.  Please see attached screen shots for more explanation.


Best,

Sandy Dunn

Windows does not have the intermediary in the certificate store



= = =
The bottom line for me, (Stephen), is that a stock index needs to be something you trust. When you invest in equities, you are investing money you worked hard to earn. There is always risk, you want to minimize that risk. From a cursory look at their list of the billion dollar club, it looks correct. I am going to guess that when Sandy and I went to BVP.com it really was them. However, the number of problems they have in their implementation makes it so that at least this one paranoid security guy is not going to blindly trust their site.

No comments:

Post a Comment