https certificates?

feedback, comments and suggestions pertaining to the *. forums
User avatar
tautology
Posts: 369
Joined: Wed Sep 01, 2010 2:26 pm
Contact:

Re: https certificates?

Post by tautology » Tue Nov 28, 2017 11:21 pm

I don't want to really get into an argument about this; but you seem to be expecting more from certificate integrity than it was ever designed to do.

The certificate is prove that the server (or optionally the client) is who it says it is i.e. that stardot.org.uk is stardot.org.uk and not stardto.org.uk. Nothing more. It does not say (nor is it every meant to say) that stardot.org.uk is a valid site. This works and protects integrity and, importantly, confidentiality between the client and the requested server.

There was an HTTP header extension (HPKP) to implement key pinning (such as is used on mobile apps) to improve this, but there were implementation issues with the specification so for now it's not recommended.

Applying SSL to a site is simple, quick and (unless you cock it up) secure. DNSSEC does not compete with SSL, it just applies integrity protection to DNS (but no protection for confidentiality). Both can and should be used if possible.

crj
Posts: 834
Joined: Thu May 02, 2013 4:58 pm
Contact:

Re: https certificates?

Post by crj » Tue Nov 28, 2017 11:43 pm

No, I'm expecting from certification what it was originally intended to provide: reassurance that you're communicating with the entity that has a specific human-comprehensible name. So, for example, it shouldn't be possible for the owners of barclays-bank.co.uk to get a certificate saying they're Barclays Bank.

Even if it's only certifying that the entity rightfully controls a particular hostname, which is already a weakening of the original intent, they ought to be performing some checks beyond making sure they have control over the hostname right now.

You seem to be under the misapprehension that X.509 and TLS are the same thing. (You also seem to be under the misapprehension that SSL wasn't rendered obsolete by TLS eighteen years ago.) I have no problem with TLS. Even X.509, though baroque and error-prone to implement, isn't actually broken and there are several mature libraries. My complaint is at how X.509 certification authorities and browser manufacturers are conducting themselves.

Meanwhile, once you have DNSSEC you can trust responses to DNS queries. That means DNS can be used to distribute public keys for various purposes. In the case of TLS, via DANE.

User avatar
tautology
Posts: 369
Joined: Wed Sep 01, 2010 2:26 pm
Contact:

Re: https certificates?

Post by tautology » Wed Nov 29, 2017 12:15 am

As you've decided to patronise, I'm not going to respond to you anymore.

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Wed Nov 29, 2017 5:47 am

It seems timely to remind people that at the end of each of these posts is another human being, and that a little humility goes a long way. Tone and language are everything on the Internet.

Additionally, what may be "obvious" to one may not be to someone else, and no one has the monopoly on opinion.

User avatar
pau1ie
Posts: 528
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford
Contact:

Re: https certificates?

Post by pau1ie » Wed Dec 06, 2017 4:06 pm

Thought I would derail this thread even further by linking here: Are EV certificates worth the paper they're written on. Most of this has already been covered, but I found it thoughtful and interesting.
I'm working on http://bbcmicro.co.uk

crj
Posts: 834
Joined: Thu May 02, 2013 4:58 pm
Contact:

Re: https certificates?

Post by crj » Wed Dec 06, 2017 5:12 pm

OV feels like the most appropriate kind of certificate: it actually gives some assurance of identity beyond "this person was in control of the domain when they applied", but isn't an expensive status symbol like EV. Once upon a time, it was the only kind of certificate one could get.

DV is squeezing it out from below and EV from above. Both of these annoy me in equal measure...

...though not half as much as organisations that redirect you to a payment broker you've never heard of to take your credit card details. If reputable-utility-company.co.uk sends you to my-super-legit-payments.biz that also makes a mockery of things.

Once upon a time I wouldn't touch PayPal with a bargepole. Nowadays, I pay through it in preference to giving out my card details because everything else has become even less secure. *sigh*

sirbod
Posts: 842
Joined: Mon Apr 09, 2012 8:44 am
Location: Essex
Contact:

Re: https certificates?

Post by sirbod » Thu Dec 07, 2017 6:48 pm

crj wrote:Once upon a time I wouldn't touch PayPal with a bargepole. Nowadays, I pay through it in preference to giving out my card details because everything else has become even less secure. *sigh*
PayPal is not an acquirer, they're a merchant. They pass your credit card details onto an acquirer via the Internet, who in turn validate your card details with the issuer via the Internet.

The only difference between PayPal and a smaller merchant is PayPal obfuscate the acquirer authentication by holding your credit card details and passing them in the background, whereas a small merchant will redirect you directly to the acquirer thereby avoiding having to become PCI-DSS compliant themselves.

crj
Posts: 834
Joined: Thu May 02, 2013 4:58 pm
Contact:

Re: https certificates?

Post by crj » Thu Dec 07, 2017 6:53 pm

That's not the only difference.

The more important differences aren't technical: they're relatively reputable by the standards of the day, and large enough to be accountable to the court of public opinion if they ever screw me over.

User avatar
roland
Posts: 2920
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: https certificates?

Post by roland » Thu Dec 07, 2017 9:35 pm

danielj wrote:OK - if you want to connect via https, you should now be able to - please let me know if you have any issues!
I'm having an issue:
SchermAfdruk.png
This is on Linux Mint with FF 57.0.1. The error message means something like this:
Error while connecting to stardot.org.uk. SSL received a record that exceeded the maximum allowed length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
256K + 6502 Inside
MAN WOMAN :shock:

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Thu Dec 07, 2017 9:44 pm

I've not re-enabled it as it was allowing access to all the directories in the forum directory structure and I've not had time to work out how prevent that at the moment :(

d.

User avatar
richardtoohey
Posts: 3563
Joined: Thu Dec 29, 2011 5:13 am
Location: Tauranga, New Zealand
Contact:

Re: https certificates?

Post by richardtoohey » Mon Dec 11, 2017 8:10 am

You might need DirectoryIndex ...

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Mon Dec 11, 2017 8:26 am

I think you're right. I need a moment to delve back in to the config...

d.

Coeus
Posts: 900
Joined: Mon Jul 25, 2016 11:05 am
Contact:

Re: https certificates?

Post by Coeus » Fri Apr 13, 2018 4:54 pm

I was about to comment about the GNOME Web Brower (on Linux, otherwise known as epiphany) failing to load pages from this site due to an SSL protocol error but the problem seems to have gone away. I think I remember Firefox having a similar problem but that too is now working.

What I believe happened is that these browsers had started trying to access everything over SSL/TLS wherever possible and thus even when given an http:// url they would attempt to contact the SSL port and set up a secure connection. I think that was failing because the server had the port open but was otherwise not setup? And, when I say the problem has gone away, what is happening now is that the browsers are now accessing the site through plain text HTTP. Chromium never had the problem - that honoured the scheme name and just used plain-text HTTP throughout.

Has any change been made at the server end recently?

And, off topic (for this thread) but it seems some of the people have contributed to this thread may be the best to advise me on this enhancement related to signing executable, raised against B-Em.

Coeus
Posts: 900
Joined: Mon Jul 25, 2016 11:05 am
Contact:

Re: https certificates?

Post by Coeus » Fri Apr 20, 2018 10:50 am

And further to the discussion of not trusting CAs, I found this https://security.googleblog.com/2017/09 ... antec.html

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Sat May 26, 2018 8:00 pm

OK - on a roll, you should be able to use https now :)

d.

User avatar
pau1ie
Posts: 528
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford
Contact:

Re: https certificates?

Post by pau1ie » Sat May 26, 2018 8:40 pm

Thanks Daniel, that's brilliant!
I'm working on http://bbcmicro.co.uk

User avatar
roland
Posts: 2920
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: https certificates?

Post by roland » Sat May 26, 2018 9:52 pm

Seems to work fine on my iPad =D>
256K + 6502 Inside
MAN WOMAN :shock:

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Sun May 27, 2018 6:51 am

Okay, the entire /forums subsection should be forced through https now. Please let us know if you have any problems :)

d.

User avatar
tricky
Posts: 2633
Joined: Tue Jun 21, 2011 8:25 am
Contact:

Re: https certificates?

Post by tricky » Mon May 28, 2018 6:48 am

Every time I start a new session on stardot on my phone, I get a warning about invalid site certificates.
As I know the recent history, this doesn't bother me, but it might bother a new visitor.
I use the default browser on my three year old phone,which afaik has never updated.

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Mon May 28, 2018 6:53 am

If your browser is up to date it should be fine. Try clearing your cache.
Screenshot_20180528-075038.png

User avatar
tricky
Posts: 2633
Joined: Tue Jun 21, 2011 8:25 am
Contact:

Re: https certificates?

Post by tricky » Tue May 29, 2018 6:53 am

I don't know of any updates for the browser, but my spare phone with is slightly newer is fine.
PS clearing the cache made no difference.

User avatar
BigEd
Posts: 1967
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: https certificates?

Post by BigEd » Tue May 29, 2018 7:10 am

(Is your main phone sufficiently new that you can run Chrome on it? That might work. I've got an old iPod touch which no longer works for most websites - this seems to be the world we live in.)

User avatar
tricky
Posts: 2633
Joined: Tue Jun 21, 2011 8:25 am
Contact:

Re: https certificates?

Post by tricky » Tue May 29, 2018 11:35 am

It does run chrome, but not well.
I've just been told that chrome is adding a warning for non Https, do I guess I will just put up with the warning until I get a new phone.

User avatar
jms2
Posts: 2001
Joined: Mon Jan 08, 2007 6:38 am
Location: Derby, UK
Contact:

Re: https certificates?

Post by jms2 » Thu May 31, 2018 11:54 am

I'm getting these warnings as well, on my Android tablet. I've just installed the latest version of Chrome and if anything, the warnings have become even more dire!

In Windows, and on my iPhone, everything seems OK though.

User avatar
Elminster
Posts: 2619
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: https certificates?

Post by Elminster » Thu May 31, 2018 12:15 pm

Is it feasible that Chrome on Andriod has the Authority Certificate for Let's Encrypt missing? In which case any certificates they signed, e.g. stardot, would appear invalid.

guesser
Posts: 197
Joined: Mon Jun 26, 2006 9:21 pm

Re: https certificates?

Post by guesser » Thu May 31, 2018 12:33 pm

Elminster wrote:
Thu May 31, 2018 12:15 pm
Is it feasible that Chrome on Andriod has the Authority Certificate for Let's Encrypt missing?
It's possible but seems unlikely since they're one of the main sponsors.
Edit: unless the browser is hugely out of date of course.
A web based teletext editor which can export as Mode 7 screen memory: https://zxnet.co.uk/teletext/editor

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Thu May 31, 2018 1:39 pm

I'm using it happily on android :? I'd suggest wiping your cache, reinstalling the browser and seeing what happens? I've kept the whole thing as vanilla as possible, all the certs are genuinely valid :(

d.

User avatar
jms2
Posts: 2001
Joined: Mon Jan 08, 2007 6:38 am
Location: Derby, UK
Contact:

Re: https certificates?

Post by jms2 » Thu May 31, 2018 9:44 pm

Wiping the cache has helped. I no longer get all the warnings, just a red triangle symbol with a ! in it. =D>

User avatar
danielj
Posts: 6364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: https certificates?

Post by danielj » Fri Jun 01, 2018 5:13 am

What's the error reported by that if you click on it?

d.

User avatar
jms2
Posts: 2001
Joined: Mon Jan 08, 2007 6:38 am
Location: Derby, UK
Contact:

Re: https certificates?

Post by jms2 » Fri Jun 01, 2018 6:16 am

'your connection to this site is not secure'

Post Reply