Blockbuster Online Security Problem?
Tim sent me the following e-mail on Tuesday morning, and I was able to duplicate his experience:
FYI, this morning Blockbuster Online is serving untrusted SSL certificates at the sign-on prompt. Screenshots attached. No joke - this is a very dangerous situation. The cert does not match the server name, nor was it issued by a trusted root authority.This behavior could mean that a hacker has hijacked the login page and is redirecting users to his server, where he is storing login information for future exploitation.
Or it could be that Blockbuster's web development team accidentally bound a private testing cert to the public site. But that's serious, also - such reckless carelessness numbs people to cert security warnings, and they may not pay close attention to "real" warnings down the road.
The problem went away after about an hour, and I figured it was an accident (like Tim's second scenario), so I decided not to run the story. Tim had contacted Blockbuster support and they responded, so I figured they were on top of the problem.
Here's the notice Tim saw in his Web browser:
And here's the detail on the problem:
I'm running the story because I got the same warning again, 2 days later:
Do we have any security experts that could explain if this is a serious problem? I looks like "origin" is a staging or testing server, but I'm hardly an expert on server security.
My guess is that it's a Web server configuration problem and no user data is at risk, but I could be wrong. Ideas?
Yes and no. The certificate system is meant to give YOU the peace of mind that you are talking to the server you THINK you are talking to. When this error comes up, the certificate authority (a company like Verisign) is saying, "Look, we can't guarantee this server belongs to Blockbuster - you're on your own." There are innocent reasons for this warning to pop up - like maybe Blockbuster is having an internal problem and having to bounce servers around. There's a small chance that some hacker has gotten between you and Blockbuster and is stealing your data, but it would only be the data you are trying to input in your current session.
I would continue to alert Blockbuster to the problem. They may confirm that they are having internal problems, which should ease your nerves. If not, they need to know this is going on so that they can get to the bottom of it.
This type of error would NOT, IMHO, expose all of Blockbusters customer info to a hacker all at once, but it could allow said hacker to steal the info of one customer at a time, as they click past the warning. Hope this helps.
Posted by: Eli | July 07, 2005 at 09:53 AM
I'm a frequent user of Blockbuster Online. I have yet to receive an alert as such logging on. Certainly, receiving such an alert would be cause for concern. Could it be the browsers you were using at the time? I notice that neither of the screen captures show a Internet Explorer browser. I've logged onto Blockbuster using IE 6.0 and NS 8.0 without any difficulty. As a matter of fact, NS displayed the following message when I logged on:
"You have requested an encrypted page. The web site has identified itself correctly, and information you see or enter on this page can't easily be read by a third party."
I would agree with the previous poster who sited technical faults as the cause. Visit:
http://www.littlewhitedog.com/content-71.html
for "What can go wrong with certificates."
Posted by: manuel | July 07, 2005 at 11:55 AM
I was able to duplicate the security notice on Tuesday with IE 6 on Windows XP (but I didn't take a screen capture).
I tested it a short while ago on IE 6 and it seems to be working now.
I think it was just a server configuration problem, but it gives a pretty scary warning message.
- Mike
Posted by: Mike K | July 07, 2005 at 12:28 PM
The Verisign certificate says origin.www.blockbuster.com I wouldn't worry about it - unless the DNS records were hacked too.
I will query the DNS server for the domain blockbuster.com first and see where it points to:
BBMKSDZNS02.BLOCKBUSTER.COM 66.170.241.19
BBMKSDZNS01.BLOCKBUSTER.COM 66.170.241.18
As you can tell, Blockbuster themselves are handling the DNS requests. I think it was someone on their end being careless.
Furthermore, I went ahead and did an nslookup and here is the data:
H:\>nslookup blockbuster.com
Server: nohackmepease.com
Address:
Non-authoritative answer:
Name: blockbuster.com
Address: 129.33.92.70
H:\>nslookup origin.www.blockbuster.com
Server: nohackmepease.com
Address:
Non-authoritative answer:
Name: origin.www.blockbuster.com
Address: 129.33.92.70
Posted by: the tester | July 07, 2005 at 02:13 PM
Ouch! I'm not an expert on SSL, but I know enough to know that some of the posts above are pretty inaccurate. The dialogs clearly show you're getting a self-signed certificate. Any mention of Verisign is a sure sign that the poster doesn't fully understand digital certificates.
The server owner created the certificate and signed it themselves; that's what a self-signed certificate is. No certificate authority, Verisign or otherwise, has vouched for the identity of the server owner. The certificate is effectively worthless. It's like a stranger greeting you on the street, asking for your wallet and saying "you can trust me". Would you take them at your word?
Expired certificates are nothing to be too concerned about, but certificates from unrecognized authorities (especially self-signed certificates) should raise a red flag. Proceed with caution - real considered caution. I wouldn't enter any passwords if I could help it, and I would never ever enter credit card information. Simple web browsing (clicking links) is probably okay.
And if the server name in the certificate doesn't match the server you're visiting, proceed with extreme caution. It's very suspicious, and it's not the kind of mistake a good server admin would make. It's either a rookie error, or a sign of genuinely compromised security.
Posted by: | July 07, 2005 at 08:47 PM
As noted by a poster above, blockbuster.com and origin.www.blockbuster.com resolve to the same IP (129.33.92.70). The 129.33.xx.xx block of IP addresses is assigned to IBM.
However, www.blockbuster.com is different:
> www.blockbuster.com
Server: ns2.attbi.com
Address: 216.148.227.68
Non-authoritative answer:
Name: e173.g.akamaiedge.net
Address: 65.171.126.199
Aliases: www.blockbuster.com, www.blockbuster.com.edgekey.net
This tells us that www.blockbuster.com is being served by Akamai, the load-balancing provider used by many large sites.
I wouldn't be surprised if origin was IBM's development service, which is then pushed out to Akamai, and this error is happening because some page is using a specific link to origin and not a relative path.
Posted by: jsp | July 07, 2005 at 10:33 PM
origin.servername is the hostname akamai mirrors for their services. That is, all of the akamai cache servers check the origin for updated content. Obviously this needs to be a hostname other than www.blockbuster.com, since that hostname is akamaized.
So jsp was closest..
Posted by: Ed | July 11, 2005 at 10:33 AM
Here's a really good description of how Akamai works:
(bah, strips html, click on my name)
Posted by: Ed | July 11, 2005 at 10:35 AM
Last comment: My guess is that they misconfigured their load balancers to point www.blockbuster.com traffic to origin.www.blockbuster.com's servers, rather than to the servers for www.blockbuster.com itself. If that makes sense. They probably have a layer-7-aware load balancer checking the Host header and sending to the appropriate web pool based on that, based on whether SSL is desired, etc.
Posted by: Ed | July 11, 2005 at 10:37 AM
Ah crap! Now it says:
Secure Connection Failed
www.blockbuster.com uses an invalid security certificate.
The certificate will not be valid until 11/15/2007 1:47 PM.
(Error code: sec_error_expired_certificate)
Does that mean I can't add Ironman to my queue until November 15?!?
Posted by: sd12013 | October 14, 2008 at 04:30 AM