1

I tried downloading and updating malwarebytes from https://www.malwarebytes.org but their certificate seems to be incorrect. This is the warning:

This is probably not the site you are looking for! You attempted to reach www.malwarebytes.org, but instead you actually reached a server identifying itself as gp1.wac.edgecastcdn.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.malwarebytes.org. You should not proceed, especially if you have never seen this warning before for this site.

Does anyone have an idea on this? Any history? Misconfiguration?

EDIT: If this is misconfiguration, aren't they open to MITM for their database updates? Either they aren't serving it over SSL or they are ignoring SSL errors during connection setup (inside their App)

DeepSpace101
  • 2,143
  • 3
  • 22
  • 35
  • I'm getting the warning too. So it's not an active attack, but could be a misconfiguration – copy Jun 28 '13 at 19:02
  • Maybe it's the NSA bugging the malwarebyte servers with malware? The irony is nested. Actually after the news, anything is possible :) ! Anyway, I'd like to verify the hash values of what I'm downloading from malwarebytes.com. Any idea where they are published? – DeepSpace101 Jun 28 '13 at 19:05
  • @Sid If you can't get the hash from a trusted-signed first-party website, then there's arguably no point in checking it at all. – Iszi Jun 28 '13 at 19:16
  • @Iszi: Not really. `No point` is true only if **every** point of inspection has been compromised. Probabilistically, that's hard(er), so as a security-in-layers measure, I'd rather check the hash than not check the hash. Eventually, there are no guarantees - just play the odds – DeepSpace101 Jun 28 '13 at 19:23
  • @Sid As I said, *arguably* no point. See this question for more discussion on the topic. http://security.stackexchange.com/q/1687/953 – Iszi Jun 28 '13 at 19:33

2 Answers2

3

It looks like a misconfiguration. www.malwarebytes.org is, at the DNS level, an alias for wac.1D00.edgecastcdn.net, which belongs to EdgeCast, a company that specializes in content hosting and delivery. The certificate is theirs. My guess is that Malwarebytes is a customer of EdgeCast, and someone at EdgeCast made a configuration mistake. This will probably be promptly fixed, at least if the people at Malwarebytes are made aware of the issue.

As for database updates, they might not use the same address and server as their Web site, as you see it. They may also use "direct trust": the client already knows the exact server public key, and simply ignores the certificate as sent by the server. Direct trust is not very flexible, but it is secure.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

I'm guessing this is just a configuration gone screwy based on the certificate being for a CDN, and the CDN cert is trusted.

SPECULATION: In the event that it were a man in the middle I would think the attackers would decide to use a cert for the actual domain in question because it's probably better to see an untrusted certificate for the site in question instead of seeing a trusted cert for a different site entirely.

Steve
  • 15,155
  • 3
  • 37
  • 66