search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.83k stars 191 forks source link

Browsing badssl.com triggered a threat alert in an automated security system in my company's network #496

Closed golimarrrr closed 2 years ago

golimarrrr commented 2 years ago

I was reading information online about SSL/TLS for a development project I'm working on and I stumbled upon badssl.com, which seemed to me one of those websites that check the web browser at the opposite side (the HTTP headers it sends, I guess) and tell you about old browser versions or old SSL versions, like https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html or others

One of the links I clicked was the Superfish one, and also the Dashboard which includes some information about Superfish too

A few minutes later I received an email from the IT department saying they need to perform a full check of the PC after an automated system detected this: "THREAT - spyware - Superfish Signed Certificate Detection"

After reading about Superfish, I did some checks and: my browser and O.S. were already updated to the latest version, the local AV software has not detected anything, and there is nothing called Superfish in the Windows's installed certificates or installed programs. Also there are no files containing that in their filenames.

Is it safe to browse the site's main page and also clicking on any of its links?

christhompson commented 2 years ago

Yes, the site should be entirely safe. We have a set of "Known Bad" test cases which use certs/keys that were from bad software or otherwise publicly leaked in interesting ways, which includes the Superfish case (https://superfish.badssl.com/), but the actual pages served are entirely benign. In practice, these certs have all expired and shouldn't be trusted by any clients at this point. Their usage for this test case case does not indicate that you have the actual Superfish spyware on your machine -- they were added to make sure that clients properly rejected them (e.g., Chrome had some special handling for these certs at the time).

It sounds like your IT department has some off-the-shelf detection rules that fire whenever a connection is made that involves these known-bad certificates. I can't say this is entirely wrong of them, although they are all a bit outdated at this point and not generally considered active threats anymore as if I recall correctly they have all expired.