• foggy@lemmy.world
    link
    fedilink
    arrow-up
    17
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Where my infosec homies at??

    They were issuing a single SSL cert to all of their clients. This cert was encrypting CC data.

    That SSL cert lived on an FTP server.

    The password was something like Spring2019!

    We stored clients images on an SFTP server. I was a web dev. I didn’t have access to the SFTP server. I had to tell a team what dirs to put assets in so my clients websites could display images.

    … Tell me youve seen worse, and I’ll continue to up the ante.

    • attckdog@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Current company I’m at I was reporting a slow Virtual server. It looked like one of the monitoring scripts was stuck in the loop and slowing the machine to a crawl.

      Call up cyber, they proceed to tell me it’s drive issue. The google DRIVERS Download the first thing they see an ad for some virus. The machine ended up needing to be completely reimaged.
      Some days mann

    • MooseBoys@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      They were issuing a single SSL cert to all of their clients.

      How does this even work? Doesn’t the domain admin send their own CSR? Even if your company was serving as that admin, a single cert only works for the domain to which it’s assigned, so how could it be reused for multiple clients?

      • foggy@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I think it was a self signed SSL.

        Not all SSLs are domain specific. There’s wildcard domains (used for subdomains or related domains), and self signed domains, and probably more.

        Think like… A liquor store in the middle of nowhere that transmits CC data via internet. They have a SSL. They don’t necessarily even have a registered domain.

        • MooseBoys@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Self-signed certs are not viable for general use because they’ll generate a browser warning that “Joes Liquor Co is not a trusted Certificate Authority” that will scare off 99% of users. And wildcard certs still need at least one specific domain, e.g. *.joesliquor.com. The only way I can imagine this working is if the vendor was handing out separate servers on client.vendor.com and giving each of them the same SSL cert for *.vendor.com.

          • foggy@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            We would do the implementations. It would include Tomcat, IIS, and an out of date version of Internet Explorer. Beyond that, I’m not sure how they were getting by the warnings. All I can tell you is we were issuing one SSL certificate to multiple clients, and that SSL cert lived on our FTP server which had a very weak password.

    • CADmonkey@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I’m not sure I’ve seen worse, but I still want to see what’s worse than what you’ve posted

      • foggy@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        3
        ·
        1 year ago

        Oh I can keep going, baby. We just scratched the surface.

        Ever heard of ProgressABL?