Post Reply 
Problem with Half-SSL...
Mar. 23, 2009, 05:03 PM
Post: #16
RE: Problem with Half-SSL...
(Mar. 23, 2009 02:27 PM)ProxRocks Wrote:  malware warnings are becoming a bit of a "boy that cried wolf"...
Google has malware warnings on search links that seem more often than not to be just that, "wof! wolf!" and chuckle as everyone trips over each other as they seek shelter...


editing above links to remove half-ssl, does that fix the malware false-positive?

There were 2 warnings before, now there's only 1 Cool
Add Thank You Quote this message in a reply
Mar. 23, 2009, 05:24 PM (This post was last modified: Mar. 23, 2009 05:26 PM by ProxRocks.)
Post: #17
RE: Problem with Half-SSL...
interesting...
i was having second thoughts in regards to posting them "as" half-ssl anyway - any of us doing the debugging, our configs would have converted them for us anyway...

not sure where that second warning could be coming from...
other than having "financial" login links on a "non-financial" website...
or that actual login links usually aren't linked to "directly" even via financial websites, the "home" is linked, the user clicks "log in" from there...
Add Thank You Quote this message in a reply
Mar. 23, 2009, 05:40 PM
Post: #18
RE: Problem with Half-SSL...
Yep! No more warnings now, I disabled access before and send the quarantined file to Avira stating a FP, Avira just updated, and now, no more warnings !Cheers
Add Thank You Quote this message in a reply
Mar. 23, 2009, 06:04 PM
Post: #19
RE: Problem with Half-SSL...
does Avira have a forum explaining "why" it might have been flagged in the first place?

the no-more-now could actually be because we've rolled over to page two for this thread and the false positive is on page one...
Add Thank You Quote this message in a reply
Mar. 23, 2009, 06:50 PM (This post was last modified: Mar. 23, 2009 06:51 PM by Toppy.)
Post: #20
RE: Problem with Half-SSL...
ProxRocks,

No, I was smart enough to force-reload the first page of this thead Wink

Avira has a forum but there's no info to my knowledge
to gather about the what's and why's, and also F/P reporting is a terrible pain in the (0), they're still near the top of the list regarding FP's, but this problem they've taken quite serious.Wink
Add Thank You Quote this message in a reply
Mar. 23, 2009, 09:06 PM
Post: #21
RE: Problem with Half-SSL...
(Mar. 22, 2009 11:12 PM)lnminente Wrote:  Hi Sidki, analizying your code i saw a ";" before the secure, i didn't test it but if i'm not wrong when secure is in first place it wouldn't match. Just to let you know, in other filters you used (\#(; )\0|)

edit 090323: or maybe secure will be never at first place?

If you place a supplemental field first, you'll break the cookie. I've just re-checked, the user-agent is naming the cookie after the first field.
Add Thank You Quote this message in a reply
Apr. 02, 2009, 08:32 PM
Post: #22
RE: Problem with Half-SSL...
Removing "TEST" flag from discussed filter...
Add Thank You Quote this message in a reply
Apr. 07, 2009, 02:27 AM
Post: #23
RE: Problem with Half-SSL...
i've stumbled upon another Half-SSL glitch...

the Message Log window has this line at where the login process seems to fail via Half-SSL but logs in successfully without Half-SSL...

Code:
Location: https://mfasa.chase.com/auth/auth-stoken-osl.html?auth_redirecturl= https%3A%2F%2Fchaseonline.chase.com%2FSecure%2FOSL.aspx %3Fnewstoken%3Dfalse%26LOB%3DCOLLogon%26 Referer%3Dhttps%253A%252F%252Fchaseonline.chase.com%252FLogon.aspx %26resId%3Dsuccess%26&
(the spaces were added just for line-break effect for forum posting...)
Add Thank You Quote this message in a reply
Apr. 07, 2009, 03:00 AM
Post: #24
RE: Problem with Half-SSL...
There's nothing i could tell from this header, except that its value - when pasted into the test window - is matched by "Location: 5 Half-SSL".
Add Thank You Quote this message in a reply
Apr. 07, 2009, 10:00 AM
Post: #25
RE: Problem with Half-SSL...
two questions -

1) is the "Location: 5 Half-SSL" filter supposed to be doing anything with the Secure wording contained within the "redirecturl=" ?

2) is there supposed to be a trailing & at the very end of the posted line ?
Add Thank You Quote this message in a reply
Apr. 07, 2009, 10:32 AM
Post: #26
RE: Problem with Half-SSL...
1) No. Here "Secure" is part of a path name, not a cookie token, as with the previous problem.

2) No. However, server side scripts usually ignore it.
Add Thank You Quote this message in a reply
Apr. 07, 2009, 05:11 PM
Post: #27
RE: Problem with Half-SSL...
how 'bout this, is this the culprit?

should the https:// URL in this screen-cap be "prefixed" with http://https-px-. when Half-SSL is enabled?


Attached File(s)
.gif  screen-cap.gif (Size: 11.77 KB / Downloads: 235)
Add Thank You Quote this message in a reply
Apr. 07, 2009, 05:28 PM
Post: #28
RE: Problem with Half-SSL...
That can't be the problem either. Proxomitron is passing the real URL to the script here, to keep it in sync with the filters.
(Compare source with e.g. half-sll'ed https://bugzilla.mozilla.org/ .)
Add Thank You Quote this message in a reply
Apr. 07, 2009, 05:40 PM
Post: #29
RE: Problem with Half-SSL...
hmmm... i'll keep digging...

ps - it's not an IE8 thing, Opera and 'fox are also both "backing out" of half-ssl...


shovel, shovel... dig, dig...
Add Thank You Quote this message in a reply
Apr. 10, 2009, 01:36 PM
Post: #30
RE: Problem with Half-SSL...
eureka! found it... (i think...)

in regards to this filter, Set-Cookie: 7 Strip "Secure" if Half-SSL 9.03.14 (cch!) [sd] (d.1) (In), does it have, or any header filter, for that matter, does it have a "character limit" ?

i have a "; secure" that is NOT being stripped...
here's the set-cookie log-line:
Code:
set-cookie: SMSESSION=+qNnFhO437GNgIAbdCaXT8X8V0hIFQ1KTrAlUuDVgChhN4ePA
GfAiKaAsE8WDQ5rRQ2oLmz0CN7kxSg4mWFzmM83zyAP//1ut2tOMFc3h5wH
+TQv57zY1eKlrPbnmB2hAQeI9faPl6jtulJSFVhPbLFWJhTAsMavZe6BKZbzClp
xUZ5dUF2ksETKLzDIfJwpHDRNtal+nPcSYButOjPb57V+4OQi9+7G6JjKgZVID
Q/TG8tPoIt30rn2UlgCmtYFgsKGIcMEbmmpt71F1yW62jf8Ig+7NUJdSW7oiY
OD+lxn2HA8qHHM1KVklUPTUYt/o3rd5LItBLb+mnkrsxyyL6cH4Dv8sRtoxNeiA
kYA6EZR72wpy1nKkCf3neCF+hNjhCIAZoOk/j3FqRYqqBkhhn9X+4VKB+aG5I
rlmWkPI7WRXiDf3+OQGIFUfDI123juKONKISLQIYpqsEdTWTUtOXZEw3iOzCf
KNEVJIXwpUs7zHKMOlA14G5dEjCpJ4EnjUj91WojnzPV2+8ly+bXKl6q98ZZQA
Blr7nCnVMUrnpf61nw07givyT46uLrmgGkYJpT06dCYBSyoemypBIWoLWIWip
wVc8gjoUc5BvU9//P5n1VtkYQ+IQEyQC0JzT5n4APxNRL7hAJKNg3YTiXV3C
wKsMZRo1Dax2gN6ZJI0atpYx4Vb8/B8aY5uQPnmsiCOowZK5yfopVxj/5q1gd
tIEJ2gHUk4+Ioq5H/3prg1cE5wZReE8YEgz+m9d330UPOtIs05o/a3wzXtjgxv
2D4xwvO1QaNDOg8m7ocfv6CPg+Ve8gZkDQa9kqef8zqkzoTP2vAPoBI2inAo
cVbEBGc51EHH0EesZl5; path=/; domain=.chase.com; secure
(with spaces added to prevent horizontal scroll...)


the question is this - is it that HUGE smsession string that's preventing the tail-end secure from being stripped ?
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: