Be A Good Netizen

Written By: Jake Bauer | Posted: 2020-07-15 | Last Updated: 2020-07-15

I was working on my post for today and since that’s taking a little longer than expected, I figured I’d tell this story in the hopes that it gets more people to do the same when they encounter a situation like this.

A toot about some recent Cisco vulnerabilities caught my attention. I’m used to seeing Cisco vulnerabilities, but what I wasn’t used to was the following SSL connection error I encountered when trying to view the advisories:

A tab in Mozilla Firefox showing an attempt to connect to
    tools.cisco.com with the following error message: Secure Connection Failed
    An error occurred during a connection to tools.cisco.com. Peer attempted old
    style (potentially vulnerable) handshake. Error code:
    SSL_ERROR_UNSAFE_NEGOTIATION The page you are trying to view cannot be shown
    because the authenticity of the received data could not be verified.

Which I was only alerted to when I shared this link with a friend, and he told me about the following settings (which I have since activated) in Firefox:

Mozilla Firefox's about:config
    page showing the settings 'security.ssl.require_safe_negotiation' and
    'security.ssl.treat_unsafe_negotation_as_broken' both set to true.

When those settings are activated (technically only the first is strictly necessary to prevent connections to broken sites) they will stop the browser from connecting to websites with broken SSL negotiation. This is a fairly significant issue so it’s good to have those settings activated.

I poked fun at Cisco in a response to the original toot because… well… how does a company this large which specializes in networking and network security equipment allow something like this to happen, especially on their security advisories page?

However, the moral of this story (aside from turning on those settings in Firefox), is: when something is broken be a good netizen and let the siteowners know; things can’t be fixed if they don’t know about it. I submitted the following report to Cisco letting them know of the problem:

A Cisco general contact page with
    a filled out contact form. The form is filled out with information relating
    to the SSL error I experienced when previously trying to connect to
    tools.cisco.com. Also filled in is my email address, my name, and the link
    that I was trying to access. On the right is a set of radio buttons labelled
    'Page rating' with the least favourable option 'Poor minus minus'
    selected.

If you come across something like this in the future, I hope you too will be a good netizen and do the right thing!

This is my seventy-second post for the #100DaysToOffload challenge. You can learn more about this challenge over at https://100daystooffload.com.