Looks like there is an issue with their blog at https://blog.waze.com also: "The webpage at https://blog.waze.com/ might be temporarily down or it may have moved permanently to a new web address."
I suspect that these pages may, in fact, be compromised.
Although I can't access either with Chrome - due to the re-direct to https and the security certificate mismatch - I can access them with Internet Explorer (IE11).
I have Adobe Flash set to click-to-play, so no Flash content can run automatically. Both these pages want to run Flash content. I don't think the blog pages uses Flash. I'm pretty sure the status page doesn't!
WordPress has a long history of security vulnerabilities & hijacks, so it wouldn't surprise me if these pages were compromised. More importantly the last month has seen several highly critical vulnerabilities revealed in Adobe Flash, meaning that any Windows computer that is not fully patched can be infected with no user interaction. The presence of unexpected Flash content is therefore a massive red flag.
Although I can't access either with Chrome - due to the re-direct to https and the security certificate mismatch - I can access them with Internet Explorer (IE11).
I have Adobe Flash set to click-to-play, so no Flash content can run automatically. Both these pages want to run Flash content. I don't think the blog pages uses Flash. I'm pretty sure the status page doesn't!
WordPress has a long history of security vulnerabilities & hijacks, so it wouldn't surprise me if these pages were compromised. More importantly the last month has seen several highly critical vulnerabilities revealed in Adobe Flash, meaning that any Windows computer that is not fully patched can be infected with no user interaction. The presence of unexpected Flash content is therefore a massive red flag.
https://storage.googleapis.com/wazeoped ... c4/AGC.pnghttps://sign.waze.tools/s2000.pnghttps://sign.waze.tools/c6.png
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
Please note that I am now 100% convinced that, at least, status.waze.com has been compromised.
[EDIT] No I'm not - see next post.
Thank you to bz2012 who forwarded me some detailed information. There is some extremely suspicious data being served up by the status page. I have reported all of this directly to Waze, but we probably won't hear anything until Sunday morning.
In the meantime, I strongly advise you to avoid status.waze.com and blog.waze.com, regardless of your OS, plugin availability or patch level.
I would also strongly advise you to change settings so that Adobe Flash Player is in "click-to-run" mode, such that Flash content can only run if you specifically enable it. And, although you can override this setting for some websites (depending on your browser), I would also advise never doing so. Instructions for various browsers
Adobe Flash is a constantly-vulnerable target. For years now there has been a steady stream of critical security flaws in Flash Player and there is no sign that this will stop. Flash is used in too many places for removing it to be really convenient, but allowing Flash content to play automatically is the online equivalent of walking the school halls with a "KICK ME" sign taped to your back.
[EDIT] No I'm not - see next post.
Thank you to bz2012 who forwarded me some detailed information. There is some extremely suspicious data being served up by the status page. I have reported all of this directly to Waze, but we probably won't hear anything until Sunday morning.
In the meantime, I strongly advise you to avoid status.waze.com and blog.waze.com, regardless of your OS, plugin availability or patch level.
I would also strongly advise you to change settings so that Adobe Flash Player is in "click-to-run" mode, such that Flash content can only run if you specifically enable it. And, although you can override this setting for some websites (depending on your browser), I would also advise never doing so. Instructions for various browsers
Adobe Flash is a constantly-vulnerable target. For years now there has been a steady stream of critical security flaws in Flash Player and there is no sign that this will stop. Flash is used in too many places for removing it to be really convenient, but allowing Flash content to play automatically is the online equivalent of walking the school halls with a "KICK ME" sign taped to your back.
https://storage.googleapis.com/wazeoped ... c4/AGC.pnghttps://sign.waze.tools/s2000.pnghttps://sign.waze.tools/c6.png
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
Firstly, I have had a response from Waze about this issue:
So I withdraw my earlier statement - these pages are probably OK. What we are probably seeing here is the result of poor security practices:
On that basis, and also a comment from someone else who is familiar with this sort of thing, I'm willing to accept that the previously-mentioned suspicious content served up by the Status page is OK: suspicious-looking, but not actually malicious.Guys, the pages are safe. What you posted are additions by wordpress that we have no control over, but are not security issues.
So I withdraw my earlier statement - these pages are probably OK. What we are probably seeing here is the result of poor security practices:
- Unnecessary use of Flash. The Flash content on status.waze.com appears to be something to do with emojis. Not malicious, but does it really add anything to the page? Certainly nothing visible I can see. As for blog.waze.com, someone has pointed out that it isn't a Wordpress site. Also, to be fair, I could see Flash content might reasonably be posted here: videos and that sort of thing.
- Security certificate problems. This issue has only really been highlighted because Chrome is constantly hardening it's security features. Internet Explorer doesn't have a problem. I suspect the latest version of Chrome is somehow deciding that the 2 sites can be accessed by https and insisting on doing so. That is then highlighting a certificate problem that wasn't relevant with http.
Having said that, since they publish the website, Waze should have dealt with this issue before. This issue has also been raised directly with HQ and we're awaiting a response.
https://storage.googleapis.com/wazeoped ... c4/AGC.pnghttps://sign.waze.tools/s2000.pnghttps://sign.waze.tools/c6.png
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
Not working for me, either. Chrome is still redirecting to the https page.
https://storage.googleapis.com/wazeoped ... c4/AGC.pnghttps://sign.waze.tools/s2000.pnghttps://sign.waze.tools/c6.png
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
My scripts: WME FixUI WME Presets
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
Yes, having the same issue as well with Chrome and I know several other editors are also.
Exact same issue here. I've tried flushing the DNS cache and clearing Firefox's history. It's definitely being forced server-side.
Country Manager: Canada
https://badges.fuelly.com/images/sig-metric2/1245338.png
https://s.waze.tools/c5s.pnghttps://s.waze.tools/beta.png https://s.waze.tools/s0100.png
https://badges.fuelly.com/images/sig-metric2/1245338.png
https://s.waze.tools/c5s.pnghttps://s.waze.tools/beta.png https://s.waze.tools/s0100.png
It breaks wme tiles update sceipt.
https://s.waze.tools/s0500.pnghttps://s.waze.tools/c6s.pnghttps://s.waze.tools/gc.pnghttps://s.waze.tools/beta.png
GC: Latvia
Coordinator: Latvia
GC: Latvia
Coordinator: Latvia
Sill have the same problem under Firefox 39, Firefox 40 (Beta), Firefox Developper Edition and Chrome.
DNS flushed, cache empty
DNS flushed, cache empty
https://phil-ip.fr/img/Shields/shield-0400.png https://phil-ip.fr/img/C5.gif https://phil-ip.fr/img/RM3.png https://phil-ip.fr/img/M1.png https://phil-ip.fr/img/B1.pnghttps://phil-ip.fr/img/MP.png
Regional Manager Auvergne - Rhône-Alpes https://phil-ip.fr/img/UR.png>2900 résolues Mentor France
Regional Manager Auvergne - Rhône-Alpes https://phil-ip.fr/img/UR.png>2900 résolues Mentor France
Seems to be solved for me since this morning on Firefox Developper Edition.
https://phil-ip.fr/img/Shields/shield-0400.png https://phil-ip.fr/img/C5.gif https://phil-ip.fr/img/RM3.png https://phil-ip.fr/img/M1.png https://phil-ip.fr/img/B1.pnghttps://phil-ip.fr/img/MP.png
Regional Manager Auvergne - Rhône-Alpes https://phil-ip.fr/img/UR.png>2900 résolues Mentor France
Regional Manager Auvergne - Rhône-Alpes https://phil-ip.fr/img/UR.png>2900 résolues Mentor France
Re: Bad certificate -- status page