How To Contact Netflix


  • Questions? Lost DVD? Call Netflix at 866-716-0414.

Welcome


  • Come in, take a look around, and feel free to contact me if you have a question or story idea. Be sure to read the comments or participate in the discussion.

    Subscribe

    Add to My Yahoo!

Search


  • Web HackingNetflix


« Netflix Cause of Hawaiian Shirt Fixation? | Main | Interesting Study of 787 Rentals »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c1bb69e200d8344d259553ef

Listed below are links to weblogs that reference Blockbuster Online Security Problem?:

Comments

Eli

Yes and no. The certificate system is meant to give YOU the peace of mind that you are talking to the server you THINK you are talking to. When this error comes up, the certificate authority (a company like Verisign) is saying, "Look, we can't guarantee this server belongs to Blockbuster - you're on your own." There are innocent reasons for this warning to pop up - like maybe Blockbuster is having an internal problem and having to bounce servers around. There's a small chance that some hacker has gotten between you and Blockbuster and is stealing your data, but it would only be the data you are trying to input in your current session.

I would continue to alert Blockbuster to the problem. They may confirm that they are having internal problems, which should ease your nerves. If not, they need to know this is going on so that they can get to the bottom of it.
This type of error would NOT, IMHO, expose all of Blockbusters customer info to a hacker all at once, but it could allow said hacker to steal the info of one customer at a time, as they click past the warning. Hope this helps.

manuel

I'm a frequent user of Blockbuster Online. I have yet to receive an alert as such logging on. Certainly, receiving such an alert would be cause for concern. Could it be the browsers you were using at the time? I notice that neither of the screen captures show a Internet Explorer browser. I've logged onto Blockbuster using IE 6.0 and NS 8.0 without any difficulty. As a matter of fact, NS displayed the following message when I logged on:

"You have requested an encrypted page. The web site has identified itself correctly, and information you see or enter on this page can't easily be read by a third party."

I would agree with the previous poster who sited technical faults as the cause. Visit:

http://www.littlewhitedog.com/content-71.html

for "What can go wrong with certificates."

Mike K

I was able to duplicate the security notice on Tuesday with IE 6 on Windows XP (but I didn't take a screen capture).

I tested it a short while ago on IE 6 and it seems to be working now.

I think it was just a server configuration problem, but it gives a pretty scary warning message.

- Mike

the tester

The Verisign certificate says origin.www.blockbuster.com I wouldn't worry about it - unless the DNS records were hacked too.

I will query the DNS server for the domain blockbuster.com first and see where it points to:

BBMKSDZNS02.BLOCKBUSTER.COM 66.170.241.19
BBMKSDZNS01.BLOCKBUSTER.COM 66.170.241.18

As you can tell, Blockbuster themselves are handling the DNS requests. I think it was someone on their end being careless.

Furthermore, I went ahead and did an nslookup and here is the data:

H:\>nslookup blockbuster.com
Server: nohackmepease.com
Address:

Non-authoritative answer:
Name: blockbuster.com
Address: 129.33.92.70


H:\>nslookup origin.www.blockbuster.com
Server: nohackmepease.com
Address:

Non-authoritative answer:
Name: origin.www.blockbuster.com
Address: 129.33.92.70

Ouch! I'm not an expert on SSL, but I know enough to know that some of the posts above are pretty inaccurate. The dialogs clearly show you're getting a self-signed certificate. Any mention of Verisign is a sure sign that the poster doesn't fully understand digital certificates.

The server owner created the certificate and signed it themselves; that's what a self-signed certificate is. No certificate authority, Verisign or otherwise, has vouched for the identity of the server owner. The certificate is effectively worthless. It's like a stranger greeting you on the street, asking for your wallet and saying "you can trust me". Would you take them at your word?

Expired certificates are nothing to be too concerned about, but certificates from unrecognized authorities (especially self-signed certificates) should raise a red flag. Proceed with caution - real considered caution. I wouldn't enter any passwords if I could help it, and I would never ever enter credit card information. Simple web browsing (clicking links) is probably okay.

And if the server name in the certificate doesn't match the server you're visiting, proceed with extreme caution. It's very suspicious, and it's not the kind of mistake a good server admin would make. It's either a rookie error, or a sign of genuinely compromised security.

jsp

As noted by a poster above, blockbuster.com and origin.www.blockbuster.com resolve to the same IP (129.33.92.70). The 129.33.xx.xx block of IP addresses is assigned to IBM.

However, www.blockbuster.com is different:
> www.blockbuster.com
Server: ns2.attbi.com
Address: 216.148.227.68

Non-authoritative answer:
Name: e173.g.akamaiedge.net
Address: 65.171.126.199
Aliases: www.blockbuster.com, www.blockbuster.com.edgekey.net

This tells us that www.blockbuster.com is being served by Akamai, the load-balancing provider used by many large sites.

I wouldn't be surprised if origin was IBM's development service, which is then pushed out to Akamai, and this error is happening because some page is using a specific link to origin and not a relative path.

Ed

origin.servername is the hostname akamai mirrors for their services. That is, all of the akamai cache servers check the origin for updated content. Obviously this needs to be a hostname other than www.blockbuster.com, since that hostname is akamaized.

So jsp was closest..

Ed

Here's a really good description of how Akamai works:

(bah, strips html, click on my name)

Ed

Last comment: My guess is that they misconfigured their load balancers to point www.blockbuster.com traffic to origin.www.blockbuster.com's servers, rather than to the servers for www.blockbuster.com itself. If that makes sense. They probably have a layer-7-aware load balancer checking the Host header and sending to the appropriate web pool based on that, based on whether SSL is desired, etc.

sd12013

Ah crap! Now it says:
Secure Connection Failed
www.blockbuster.com uses an invalid security certificate.
The certificate will not be valid until 11/15/2007 1:47 PM.
(Error code: sec_error_expired_certificate)

Does that mean I can't add Ironman to my queue until November 15?!?

HelenaWalker32

Every body knows that life seems to be not cheap, however we require money for different issues and not every man earns enough cash. Therefore to receive some business loans or just college loan will be a proper solution.

The comments to this entry are closed.

Support


  • Support HackingNetflix:

    Try Netflix for Free:

Disclaimer


  • This site is an independent Web site (I don't work for Netflix). Netflix is registered trademark of Netflix, Inc. HackingNetflix will not teach you how to lie, cheat or steal from Netflix. Hacking is the desire to fully understand something, and we want to learn as much as we can about this company and share this information.

    Click here for more information about this Website and a full disclosure statement.

    Investors: Please do not use the information on this site to buy or sell stocks. I don't want to have to explain to your spouse how you lost a huge amount of money based on advice from a site called "Hacking Netflix."

    The contents of this Web site are (c) 2003 - 2010 Briki Media, LLC. All rights reserved.