Untrusted connection when accessing webmail...

[PCquestions]

Hi everyone,

I'm hoping this is a simple question!

When I use my work email, (a webmail, using an address ending owa), I get the error below and have to click proceed anyway, no matter which browser I am using. When I then access email, the 's' is crossed off from the https in the web address.

Can you tell me if this is secure? I'm concerned that it's not as the system is used for sensitive and confidential client information.

Also, can an unsecure site put our computers at risk from viruses etc as employees accessing webmail from home? Our employers have told us it's fine and to click 'proceed anyway', and some of us have concerns accessing this on our personal computers but others don't, so I'd love to know more.

Any advice welcome, thank you.

The error message:

This Connection is Untrusted

You have asked Firefox to connect securely to ***** but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification.

 

[seepy83]

The most likely case is that they just didn't spend the money on a TLS/SSL certificate from a public, trusted, Certificate Authority (like Verisign, Comodo, etc.). The data being passed between your browser and the Outlook Web Access server are still encrypted while in transit over the network/internet.

With regards to your second question - there is nothing inherent about using HTTPS that provides you any protection against viruses or other malware. The goal of HTTPs is to keep data confidential by using encryption. A malicious web server could be set up using HTTPS, and they could even be using a Trusted certificate from someone like Verisign, and it can just as easily be used to serve up malware as one only using HTTP.

 

[Harvey]

If you didn't use the asterisks ***** to hide the domain name of the link, it means we have censored the domain name because it was a source of spam, has a history of malicious links or is a url shortener, which are not allowed on our forums.

To find more about the safety of a given domain name, search Google for the name "in quotes", both with and without an extension like ".com" for info. You can search further by adding words like malware, virus, spam, etc. to your search. Searching for the name in quotes prioritizes the entire name ahead of any logical partial names.

 

[PCquestions]

Hi guys,

Thanks for your responses. I typed the asterisks in as I didn't want to publicize the exact address I'm calling into question!

So are you saying for definite that the data is secure/encrypted or is there a risk that it couldn't be?

Thanks folks

 

[Savatar]

Hi guys,

Thanks for your responses. I typed the asterisks in as I didn't want to publicize the exact address I'm calling into question!

So are you saying for definite that the data is secure/encrypted or is there a risk that it couldn't be?

Thanks folks

All HTTPS conections use SSL, so yes - but that can be implemented with different key exchange mechanisms/algorithms with varying key sizes... some of which are not secure and attackers have figured out how to break. If you click the little security icon (usually a lock kind of thing) on the webpage, then go to more information / view certificate details (this varies based on browser), it will eventually list the mechanism that it is being encrypted with (for example, 128-bit RC4, which is what Google uses). I would suggest that [usually] anything 128-bit and over is considered normal nowadays (hey, if Google does it anyway...).

Of course there is _always_ a risk that it is not completely private, though... as the traffic could be intercepted, more and more vulnerabilities are in the wild, and systems become more capable at attacking those mechanisms. Sometimes even the URL requests themselves over HTTPS can cause information leakage and give away some information.

If you wanted to add more security, you can use something to encrypt the message itself before sending it, but that would require the remote user to have your public key and the technical know-how to decrypt it as well... so not many people do that.

 

[PCquestions]

Thanks, I had a look at the more info button and it says it's:

encrypted with 128-bit encryption; uses TLS 1.0. AES_128_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.

So does that mean it's alright?! Thanks for pointing me to that

 

[Harvey]

So are you saying for definite that the data is secure/encrypted or is there a risk that it couldn't be?

By definition, the word, "untrusted" is indefinite. It is not an outright condemnation, but it suggests that whoever posted the message does not have enough information determine whether the the site is secure.

Per my previous post, do your homework by searching the web for the domain name + various key words like virus, malware, malicious, secure, etc., make sure your anti-virus, anti-spyware and firewall on your own machine are up to date, and run scans often, especially after receiving such caution notices.

Also, back up your machine often. For a personal machine, after a complete scan, I recommend cloning your hard drive to another drive that can be disconnected from your machine. There is no virus or other malware that can jump the air gap to an unpowered drive that is not plugged into your computer.

Use an internal drive that fits in your machine, either with a mobile rack or installed in a separate case, instead of a ready built external drive. If your main drive becomes infected or corrupted, you can just clone back from the backup drive to the main drive. If your main drive fails, the other drive plugs in and works with no re-installation required.

If you're lucky, you may still be able to read your files on the corrupted, and nothing will be lost, and you're always as good as your last backup.

 

[Savatar]

Thanks, I had a look at the more info button and it says it's:

encrypted with 128-bit encryption; uses TLS 1.0. AES_128_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.

So does that mean it's alright?! Thanks for pointing me to that

As long as you're using an updated browser, you should be [generally speaking] as OK as OK gets when using SSL. Sites should really start moving to TLS 1.1 or 1.2, though... as TLS 1.0 is vulnerable to BEAST.

The warning you saw has more to do [probably] with the server name not matching the name on the certificate. This happens a lot in business environments. If you check the certificate information, it should list a 'website identity' value, which is supposed to match the site you are using. Many times you'll see people use wildcards here, or as someone mentioned earlier they're using a self-signed certificate (not issued from a trusted third-party provider) which can make browsers warn you... but the encryption still happens even in those cases.

 

[Lifted]

Can you tell me if this is secure? I'm concerned that it's not as the system is used for sensitive and confidential client information.

SSL certificates serve 2 purposes, encryption and authentication. Any self-signed certificate can provide encryption, but only a certificate issued by a trusted 3rd party can be used for authentication.

In this instance, the session to your owa site is encrypted BUT your browser cannot verify the server you are connecting to is the server you intended to connect to. This leaves you open to man-in-the-middle and similar attacks that would be used to read the session or steal your username and password. I'd say the odds of this happening are quite low, but your talking about a ~$50/year certificate from a trusted cert authority to remedy this.

 

[SecurityTheatre]

Talk to your IT department, tell them to get a REAL SSL certificate (rather than cheaping out on a self-signed one). The cost is less than $50.

 

[Gunbuster]

Sort of necroing the thread but has anyone used a cheapie CA like www.cheapssls.com?

I'm looking to buy a cert for my VPN firewall.