Results 1 to 15 of 15
  1.    #1  
    Two weeks ago, I did a factory reset. The default setting for certificates is none. Today, I looked at my Palm Pre2's certificates. Device Info > Manage certificates. There were numerous certificates. My browser didn't ask me to trust a certificate. I was not notified when they were downloaded and installed.

    I researched each one. They are tracking javascript spyware certificates:

    addthisedge.com DigiCert SHA2 High Assurance Server CA
    a.ssl.fastly.net DigiCert High Assurance CA-3
    cdnjs.cloudflare.com GlobalSign Organization Validation CA-G2
    netdna.bootstrapcdn.com AlphaSSL CA -G2
    a248.e.akamai.net Cybertrust Public SureServer SV CA
    mojofarm.mediaplex.com GlobalSign Organization Validation CA - G2
    two yahoo certificates

    I deleted them all. I don't know how to prevent the certificates from reappearing nor how to prevent new certificates from automatically being installed.
  2. #2  
    what is a "JavaScript spyware certificate" ?

    You have several CA certs installed on every device and if a website is having a cert trusted by them, your device trusts this cert and the secure data transfer between website and device can happen.(Chain of trust)

    If you don't trust the CAs you could remove them, and then new certs are not trusted and you can not transfer your data securely with those sites. But i would NOT adise you to do so as you would have to decide with every webpage if the cert they are presenting can be trusted or not.
  3.    #3  
    Is WebOS had preloaded certificates, they would be there after a factory reset. No certificates after I performed a Secure Full Erase.

    Can you identify certificates preloaded by WebOS?

    Certificates are not required to safely enter data on a web page. None of the certificates I listed that were on my Pre2 without my knowledge and consent assisted transmitted data safely.
  4. #4  
    I'm no expert, but while you don't need certificates to securely transmit data (that's stuff like SSL/TLS), I think the certificates are used to confirm the website is what it says it is. This prevents a man in the middle attack.

    You enter details into what you think is your bank's website, but it's fake. Then the person pretending to be your bank turns around and logs into your bank with your details and takes all your money.

    The phone should have 'master' certificates to compare with what it is offered on the internet so it can check.

    Last year's problem with the app catalogue was caused because the certificate on devices expired and there aren't going to be anymore OS updates from HP - so a patch is required. I think it's possible to install certificates manually, but you have to be sure you are getting genuine ones from a trusted source.

    The danger of course is that the master certificates or issuing authority is compromised, but no security is perfect...
  5. #5  
    Quote Originally Posted by freebirds View Post
    Certificates are not required to safely enter data on a web page. None of the certificates I listed that were on my Pre2 without my knowledge and consent assisted transmitted data safely.
    oh yes they are, what do you think the lock infront of the url in your desktop browser is symbolising?

    Transport Layer Security - Wikipedia, the free encyclopedia

    Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet.[1] They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key.
    And if you don't trust me and wikipedia perhaps you trust Palm:
    http://kb.hpwebos.com/wps/portal/kb/.../56876_en.html
    http://kb.hpwebos.com/wps/portal/kb/.../40069_en.html
    or perhaps webosinternals:
    http://www.webos-internals.org/wiki/...te_Authorities


    Could it be you mean cookies that are evil? HTTP cookie - Wikipedia, the free encyclopedia
  6.    #6  
    what I mean by javascript spyware certificates are certificates that use javascript to track users. For example, when I clicked on login link to this forum using palm, a pop up warned: "the security certificate cdnjs.cloudflare.com sent some invalid information. Connecting to this site might put your confidential information at risk."

    I clicked "don't trust certificate" then another pop up with same warning but about netdna.bootstrapcdn.com.

    I had deleted these yesterday in device info. How to prevent them from being einstalled?
  7. #7  
    They won't be installed unless you accept them. Chances are something in the certificate chain is expired or has been replaced by a new certificate due to the changes being made because of Heartbleed.
  8.    #8  
    after clicking on reply to this thread, third pop up warning same as first two but about adfarm.mediaplex.com. Yesterday I deleted mojofarm.mediaplex.com certificate. These tracking companies are very persistent.

    are other members getting spyware by using this forum?

    palm's browser does not show url address. Can't tell is http or https. How to troubleshoot this?
  9. #9  
    All you have to do to see the URL is drag the page down slightly and the address bar will show.
  10.    #10  
    grabber5.0 thanks for advising. Address bar won't drag down. Are you certain the three certificates should be trusted? Are they prepared?

    premptive and gizmo21 replied that there are prepared master certificates. Is there a list? I would like to install them. They were not automatically related after I performed a secure erase. Is this normal?
  11. #11  
    Quote Originally Posted by freebirds View Post
    grabber5.0 thanks for advising. Address bar won't drag down. Are you certain the three certificates should be trusted? Are they prepared?

    premptive and gizmo21 replied that there are prepared master certificates. Is there a list? I would like to install them. They were not automatically related after I performed a secure erase. Is this normal?
    As I wrote, I'm no expert.

    Here is an article about certificate authorities:
    Certificate authority - Wikipedia, the free encyclopedia

    More stuff from GRC - if you are interested in security.
    https://www.grc.com/revocation.htm - note the old stock webOS Browser fails this test.
    https://www.grc.com/fingerprints.htm
    https://www.grc.com/ssl/ev.htm

    Here are screengrabs of this site on my phone - scroll up to the top & beyond to see the page title, then click on it for the address, type a new one in etc.

    Ultimately, the only way to be sure you're secure on the internet is to disconnect from it...
    Attached Images Attached Images
  12.    #12  
    Thanks preemptive for instructing me to tap on the address bar. Tapping did disclose the URL. The URL is http.
    The link to my thread in email notifications is http. I click on the link to log in.

    I typed https//forums.webosnation.com in the address bar. A pop up warned that forums.webosnation certificate has expired. Asks whether I want to trust the certificate. I don't trust the certificate. Error message: "Unable to load page. Loading page error (2035)"

    I retype https://forums.webosnation.com in Pre2's address bar. I click trust once. Browser goes to a webpage: "SSL not supported for forums.webosnation.com. SSL requests not supported for forums.webosnation.com. The site is not configured with SSL support".

    When I use Konqueror browser in live PCLinuxOS FullMonty linux DVD, I receive the same error message.

    Firefox browser in live DVD of PCLinuxOS could not go to https://forums.webosnation.com. Error message: "The requested operation could not be completed. Connection to Server Refused"

    I went to Device Info > Certificate Manager to obtain identity of the forums.webosnation's certificate: Sony | VeriSign Class 3 International Server CA - G3. I conducted a search on sonypro certificate but nothing came up. I went to the webpage Sony | to find information on selling real estate. I deleted sonypro.com.mx certificate.

    Konqueror and Firefox are not asked to accept certificates. Why is my Pre2 repeatedly asked? Is this happening to other users? Does forums.webosnation have a a htpps website?

    Preemptive, I greatly appreciate the articles you referred on fraudulent SSL certificates and man in the middle attacks. I copied them into plain text files to read offline. Hopefully, they will recommend a solution.
  13. #13  
    in certs there can't be any JavaScript and they are not used to track. There could be traking sites that are ssl secured but the evil thing is not the cert.

    I have already posted the webosinternals link where
    the CA certs folder of webosdoctors delivered trusted certs usually can be found.

    Forum here can not be accessed ssl secured but login is secure
    https://passport.mobilenations.com and my pre2 does not ask there for cert approval.
    I have only my 5 willingly accepted "unsecure" certs like my self signed NAS cert. and i use my pre2 since 2 years without doctoring.

    As you get asked very often, perhaps your CA certs are missing and that's why the cert chain is unknown for your device (check the path i mentioned).
  14.    #14  
    Gizmo21, thank for providing links. I read the articles. I do not see a link in the articles on list of prepared certificates.

Similar Threads

  1. How to disable the Spyware in WebOS ?
    By thomaz in forum HP TouchPad
    Replies: 1
    Last Post: 10/29/2011, 05:28 PM
  2. Is there such a problem as spyware patches
    By rothoof in forum webOS Patches
    Replies: 6
    Last Post: 01/19/2011, 12:28 AM
  3. Palm OS Spyware
    By SnowAngel1106 in forum General News & Discussion
    Replies: 13
    Last Post: 02/21/2008, 07:19 PM
  4. Is My Centro Spyware?
    By MobileBiz in forum Palm OS Devices & Apps
    Replies: 1
    Last Post: 10/23/2007, 06:20 AM
  5. Spyware Software?
    By copernicus in forum Palm OS Devices & Apps
    Replies: 12
    Last Post: 12/18/2002, 01:20 PM

Posting Permissions