Cert warning at Amazon?!?

[shwn]

While shopping at Amazon when I clicked the Place Order button I got the following alert (in FireFox):

"Website certified by unknown authority ... Unable to verify the identity of view.atdmt.com as a trusted site ..."

Should I be worried?

[homoludens]

Amazon uses atdmt.com to serve ads. So their server has probably gone a bit do-lally and is trying to serve off-domain content (ie. ad-tracking) over an SSL connection. You can check this by looking at the HTML for that page. Is there a request for a js file or similar from atdmt.com?

[the_ancient]

you would think Amazon Would no Better than to make this Very Amature Mistake

[shwn]

But loading content from another domain generates a different message, doesn't it?

I saw this message (Website certified by unknown authority) a few weeks ago when my own cert wasn't properly installed, so I did a little checking while waiting for that to get sorted ... By viewing the details pane I could kind of get a sense of what was going on with my cert, but the effect of receiving that message during a credit card transaction online - different matter entirely!

Although I did report the problem to Amazon support I figured I'd just close the browser real quick and let one of the other thousands or so customers who might have experienced the problem report the details.

[homoludens]

What I mean is that the adserver is trying to track you over a transaction it normally doesn't. Because it normally doesn't track such transactions, no one bothered to set up a valid cert. Hence the invalid cert message.

Of course I am assuming that amazon don't normally allow atdmt.com to add javascript to SSL pages ...

A quick scan with google seemed to indicate that spyware involving atdmt.com blocks traffic to that domain rather than data mining for it, but that was a quick scan, so don't set your lawyers on me.

[shwn]

Thanks for the info, homoludens. Sometimes I feel so clueless on a subject I don't know where to start even formulating a search query.

[homoludens]

Hey, no worries. Although note my disclaimer.

A better search would have been secunia. I like the Secunia site, as it's easy to navigate and gather statistics on how badly coded and maintained software you may be considering is. They seem to be a favourite amongst the web app security peeps and often get disclosures earlier than other sites.

[shwn]

Disclaimers duly noted. Even if something sinister happened, wouldn't be my MO.

So far no problems revealed other than tracking cookie. Using the occasion to firm up and fill in some gaps in my security though.

[homoludens]

Have you thought about using your hosts file as part of your arsenal? That would prevent people like atdmt from ever getting near your computer.

[shwn]

That is on my list of things to consider. I'm looking into adware/spyware detection/removal software first. So far, just using Ad-Aware. Any suggestions? Spybot, Spyware Doctor, ... ? So many to choose from, with so many differing opinions on them.

I've never had any sign of a problem (cautious browsing and download habits) and have wanted to avoid the bloated packages.

[homoludens]

ad-aware
zonealarm
rootkit revealer
hijackthis
hosts file
firefox / opera
sensible browsing

That's what I use on windows. People recommend doubling up on stuff like antispyware and antivirus, but I don't bother as I don't use windows (to surf) that much these days. Too many zero day exploits in IE, Office, Everything.

[Frank Broughton]

Go here: http://av1611.us/spyware.html step two works!

[shwn]

Another place I found for good info: http://www.malwarehelp.org/know-about-malware.html

Thanks for the help guys!

[homoludens]

Good old Steve Gibson. I kinda liked him and his site and his campaigns. He's clearly a bit mad, but I've found quite a few of his bits and bobs useful over the years. I don't get why so many people seem to hate him.

Here's something they don't mention in the web beacons section. An html email containing something like

HTML Code:

<img src="example.com/klart.jpg?123456 />

can be used to confirm whether a randomly mailed email address is valid or not (using a database of IDs and a log parser).

So NEVER view emails as html from unknown senders as you WILL get spam as a result (and a virus or two as well if you're vulnerable). Gmail seem to prefetch images in emails. If they have an image cache then this would prevent the above trick.