Your certificate expired today

Hi gang,

First a small rant: I seriously dislike the zealous way in which HSTS gets implemented in modern browsers today, it's a joke. I can't overrule anything anymore! Even though I KNOW that there is 0 risk *

Anyway: the certificate for forums.freebsd.org expired a few hours ago, sloppy :/ And because the site is masked with HSTS the result is that no one with a modern browser is now allowed access anymore. Something I'm seriously displeased with (note: that's mostly aimed at this POS browser which is treating me like an idiot: Opera, Chrome, FireFox... Dumb consumer products where HTTPS is concerned if you ask me).

Anyway, figured I'd leave a warning here. Please fix :/

In case you're wondering: I originally posted this using www/links from my trusty Zefiris FreeBSD server.

Well, in the mean time I found an undocumented option to do exactly that: to overrule certificate checking by Chrome (Opera is build upon Chromium). I'm still leaving my rant above as-is because I think this "solution" is even more dangerous.

What it is? Start the browser with the -ignore-certificate-errors parameter. See: I'm the geek who just did so on the console (cmd.exe) after finding launcher.exe which launches Opera. How many people would edit the icon / menu entry instead? And maybe forget all about it? See, the risk here is that this setting now overrules every certificate error on every website.

And all because some dumb programmers feel the need to treat their users like idiots, while obviously also relying on the classic security through obscurity (as mentioned: as far as I can tell this parameter is undocumented).
 
You can "overrule" it in Firefox (Palemoon, Waterfox):
Preferences => Advanced => View Certificates => Add Exception.
Normally, the warning on the site shows also "Add Exception". This time it does not. So I have to use Preferences.
 
I very much prefer having a small "shitstorm" about an expired certificate over any other not-so-important-topic on something you could find on like Facebook. :)
 
The idea behind HSTS is good in theory. The obvious benefit being that if someone hijacks your connection (changing DNS on home routers full of security holes is popular these days), they can't point you to an unsecure copy of a website then scrape your details.

It's a bit annoying you can't get past it in Chrome, but then the setting is supposed to be the website telling you outright that you should always connect over a valid HTTPS connection, which leads me onto the next point..

Unfortunately it's one of those things like DNSSEC that can completely screw you up when you get it wrong, or forget to update things before they expire...

(Note I managed to get in via Edge. I don't know whether it allows bypassing HSTS, or more likely I've just never been here in Edge and it hasn't seen the HSTS header)
 
So I better not restart my phone which is still authenticated. The standard browser wants to tell me every minute that the certificate is up but it works the rest of the time.
 
I had to delete the line with "forums.freebsd...." in

.mozilla/firefox/xxxxxxxx.default/SiteSecurityServiceState.txt

in order that the browser offer me to add an exemption when I try to reach the forum.

I wonder why things are made so complicated, for nothing.
 
The idea behind HSTS is good in theory. The obvious benefit being that if someone hijacks your connection (changing DNS on home routers full of security holes is popular these days), they can't point you to an unsecure copy of a website then scrape your details.
True, but the thing is... the certificate may have expired, but that doesn't mean that the connection isn't encrypted anymore. The HTTPS part (encryption) is still valid, the only problem is the trust model. But.. I agree: I am nitpicking ;)

How do you even manage to do this btw? There is no way to log in using links so I guess you must have been logged in on beforehand somehow, no?
No, I simply logged in using Links. I don't know why and how but I had no issues with that. See also the attachment (though this is not the real session), I'm currently back in Opera (re-started an unsafe session).
 

Attachments

  • links1.jpg
    links1.jpg
    92.8 KB · Views: 278
Well, they continue trying to make it idiot proof, which only creates better idiots. I was able to get to the add exception by using palemoon and porn mode---errm, private browsing, when it then gave me the opportunity to add an exception. I don't have a good answer. We're mostly somewhat technical here so have a good idea, but the vast majority of internet users probably should be stopped from going to such sites.

I remember when Fedora made one of its decisions that the user is too stupid to do something or other--might have been start X as root, and as someone on their forums said
they are welding the training wheels to the frame.
 
but the vast majority of internet users probably should be stopped from going to such sites.

Yeah generally speaking a warning like the should be interpreted, certainly by normal users, as "website down" and not bypassed. We know it's just expired, but if it was NAME_MISMATCH it could very easily be a hijack attempt. Even the fairly innocuous looking DATE_INVALID like this one could turn out to be an old cert/key pair that has been discarded and picked up be someone.
 
Scary.
Code:
Invalid certificate
Continue anyway

Your connection is not secure.
The server is trying to trick you to steal your information.

a plot to steal my money by you know who.
 
Voldemort? (Oh, sorry, misunderstood.)
I can't even complain. I was almost fooled by a very good phishing attempt the other day, from my credit card company. It had a link that if you clicked it, took you to a site identical with theirs and even the url looked right--it was something like verify.company.com

At that point I called the company and they told me it was a phishing attempt. Point is though that one really does have to worry and be careful. In this case, when I saw the cert expired yesterday, it seemed fairly obvious what the cause was so I continued, but as usdmatt says, lots of apparently innocuous issues could be real problems.
 
True, but the thing is... the certificate may have expired, but that doesn't mean that the connection isn't encrypted anymore. The HTTPS part (encryption) is still valid, the only problem is the trust model.

Well - no. If expiry is to mean anything, this certificate is invalid.
And if that HSTS thing is to mean, do not connect without proper auth, then there should be no way to connect.

There are two other questions that seem more relevant to me:
1. Who is going to fix the issue, and when?
2. Why do we have that HSTS thing activated? I would suppose that is good for e-commerce and similar sites, and I don't see much point in using it for a simple webforum.

Besides: I agree, I am unhappy with the web security schemes as well. But I would rather look for the flaws in the whole CERT scheme in general (and that is quite difficult to improve).
 
Well - no. If expiry is to mean anything, this certificate is invalid.
And if that HSTS thing is to mean, do not connect without proper auth, then there should be no way to connect.

There are two other questions that seem more relevant to me:
1. Who is going to fix the issue, and when?
2. Why do we have that HSTS thing activated? I would suppose that is good for e-commerce and similar sites, and I don't see much point in using it for a simple webforum.

I am agree with you in both points. Also I would like to add that I could enter using Opera Browser. Firefox even adding exception did not work in my case at least.
 
1. I assume the forum admins will fix it, but depending on location they may just be getting out of bed...
2. I doubt there's much worry of a concerted attempt to hijack these forums to steal user details, but in all fairness we'd still get the full page error even without HSTS, it would just a bit easier to bypass (at the moment at least). If you enable HTTPS, it makes sense to use HSTS, you just have to make sure the cert is always valid... (which you need to do anyway, even without HSTS)
 
The forums are back online with a new shiny cert.
Apparently a new cert had been issued from within the FreeBSD organization a couple of days ago, but it was stuck in an inactive mailbox.
As you were.
 
Wow! That was professional. :)

1. I assume the forum admins will fix it, but depending on location they may just be getting out of bed...

I was just thinking that it may take a couple of hours to get an official certificate signed by the proper authority, and there is a weekend ahead, so one should get moving about now. Which obviousely has happened. :)

2. I doubt there's much worry of a concerted attempt to hijack these forums to steal user details, but in all fairness we'd still get the full page error even without HSTS, it would just a bit easier to bypass (at the moment at least). If you enable HTTPS, it makes sense to use HSTS, you just have to make sure the cert is always valid... (which you need to do anyway, even without HSTS)

I just gave a glance to the RFC6797 (where the HSTS is described), and I might agree that it makes sense to activate it. The ideal way of engineering would then be, as the HSTS option carries an expiry time, to adjust that expiry time to the expiry time of the certificate. But I suppose thats a bit difficult to implement in a web server.
 
The already issued one was made known to me when I had just installed the one I procured. At least with this one, I will be in the information loop.

Update: the original FreeBSD certificate has now been swapped in -- it ties in with other FreeBSD (cluster) services and requires less administration and reorganisation than importing the 'external' certificate I installed for the time being.
 
The ideal way of engineering would then be, as the HSTS option carries an expiry time, to adjust that expiry time to the expiry time of the certificate. But I suppose thats a bit difficult to implement in a web server.

The problem then is you have a target window when the certificate expires where everyone's HSTS records do as well. Most people in the CA business are suggesting fairly long expiry times for the record (> 1 year), and this is currently required to get A+ on ssllabs.

At the end of the day the point of the record is to try and force browsers to require a valid cert permanently, so a hacker can never pretend to be your site unless they can also impersonate your cert. If the record expires, especially on a known date, it opens the door for hijack attempts.
 
The problem then is you have a target window when the certificate expires where everyone's HSTS records do as well. Most people in the CA business are suggesting fairly long expiry times for the record (> 1 year), and this is currently required to get A+ on ssllabs.

So what? The whole thing isn't really waterproof anyway: it requires that you have visited the site before, with this browser on this installation as this user.

At the end of the day the point of the record is to try and force browsers to require a valid cert permanently, so a hacker can never pretend to be your site unless they can also impersonate your cert. If the record expires, especially on a known date, it opens the door for hijack attempts.

Yes. But if the certificate is replaced in time, this does not happen, and on an e-commerce site this is mandatory, and the expiry time should be long. On an enthusiasts site like this one things are more relaxed, and certificates may be updated when somebody finds the time for that. (I would even go so far to leave it to the discretion of the user if they want to use https at all.)

There are two problems:
1. the average internet user gets more and more unaware, so we get more and more of this kind of half-bred security "features" sticked upon (and most people will agree they are needed).
2. the https/cert/etc. scheme has no real means to distinguish between commerce sites (where security is mandatory) and enthusiast sites (where there is almost no risk of hijacking, but one might still want some encryption so that not everybody can read along).

Over all we have a dilemma: the http was not developed with security in mind. If we would want a really good secure e-commerce environment, that should have been developed independent from http and with security in mind right from the beginning. On the other hand the technology has now become so complex that people no longer have fun writing their own web-page and instead hop onto facebook which does the work for them.
 
The whole thing isn't really waterproof anyway: it requires that you have visited the site before,

Yeah I agree that's a big hole in HSTS, but then the Internet is unfortunately insecure by default and I don't think there's a simple way around that. (If HSTS was the best they could come up with I don't think anyone else has better ideas either)

Yes. But if the certificate is replaced in time, this does not happen

Is this referring back to having the web server configured to set HSTS expiry same as the certificate? If everyone gets a HSTS record that aligns with the expiry of the certificate then it's a perfect time to attack. Say I go to the website 10 days before expiry and get a 10 day HSTS record. Whether they replace their cert or not is irrelevant; If someone manages to hijack my connection when the original cert (and my HSTS record) expires**, but before I go back to that website and get a new cert + longer HSTS record, they can give me a HTTP copy of the website without my browser complaining. Ideally the HSTS records returned should continually be pushing the expiry long into the future. **(They could build up a network of hacked users, then just activate new DNS records for each site they want to target as the cert expiry time for that site come up, hoping that they'll catch users in between the old HSTS record expiring and the user getting a new one)

Note also that the CAs are continually pushing for shorter cert expiry times so that new security features can be brought in - and broken or weak features removed - quicker. The current max for a commercial cert recently dropped to 2 years (think it's actually a few months over 2 years) and they may reduce it further in the future.
 
Oh, you haven't seen anything yet. I found this while doing some snooping 2-3 weeks ago and let SirDice know about it, but it's still active as of this posting so now seems like a good time to mention it.

stories.pngstories2.png

Look closely under "Technical Details" at who is using the Certificate for forums.freebsd.org and the Error code.

I guess it never hurts to have a backup plan in case the bottom falls out of the OS business. :)

Try it:

https://schoolgirlstories.com/tags/bhyve/page-3
 
Hmm looks like that site just points to the IP address of the forums. The forum IP points to HostVirtual, so maybe that site was hosted at the same place and used to have the forum's IP address a long time ago but is just defunct now?

Maybe the forum should reject requests for anything other than forums.freebsd.org.
 
Back
Top