Options

Connection not secure?

XeddicusXeddicus Registered User regular
Chrome (Version 66.0.3343.4) is choking on the forums not being secure all of the sudden ("Your connection is not private", NET::ERR_CERT_AUTHORITY_INVALID) and Firefox seems to agree, but just notes it in the info bar.

Anyone else seeing this? Started a few hours (or so) ago for me.

Xeddicus on

Posts

  • Options
    EchoEcho ski-bap ba-dapModerator mod
    Sure it's not mixed content due to sigs/images?

  • Options
    XeddicusXeddicus Registered User regular
    Happens on the bookmark page, this page, main forum page, any page on the domain it seems (forums.penny-arcade.com). FF does says "parts" yeah, so it could be something specific I guess.

    The main site works fine, just the forums saying it.

  • Options
    SmasherSmasher Starting to get dizzy Registered User regular
    While there is some mixed content (the images in the header for Penny Arcade/The Trenches/etc. are served via http), I'm seeing a valid certificate and secure connection on my end with Chrome 64, Windows 10. Look at the certificate by doing the following:

    - Open the Chrome dev tools with control + shift + I. This will pop open a new window.
    - At the top of the window there will be some tabs starting with "Elements", "Console", and "Sources". Open the "Security" tab.
    - In the middle of the pane you should see a section about the certificate. Mine says "Valid Certificate", though you'll probably see something else. There should be a View Certificate button; if so click it, which will open another small window.
    - For me the certificate information in the General tab is "Issued to: forums.penny-arcade.com", "Issued by: RapidSSL SHA256 CA - G3", and "Valid from 9/30/2015 to 10/3/2018". If you click the Certification Path tab I see "GeoTrust Global CA" -> "RapidSSL SHA256 CA - G3" -> "forums.penny-arcade.com".

    If you're accessing the forums from work, corporations often inspect https traffic by effectively performing a man-in-the-middle attack. Normally they install a certificate on your computer to make it trust the company certificate authority, but if you don't have that your computer won't recognize the presented certificate as valid.

  • Options
    XeddicusXeddicus Registered User regular
    edited February 2018
    In the security tab, as you expected, I get:
    This page is not secure (broken HTTPS).
    Certificate - missing
    This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
    

    But the certificate info all matches yours and it says it's OK.

    I'd suspect it's a bug in the dev version of Chrome, but Firefox stable 58.0.1 (that just updated when I checked it... now 58.0.2) says it's not secure either.

    This is a home connection.

    Edit: Workaround of adding the -–ignore-certificate-errors flag solves the nag screen, but probably not the best idea to keep that there...

    Xeddicus on
  • Options
    SmasherSmasher Starting to get dizzy Registered User regular
    Do you have another computer or phone you can test with?

  • Options
    XeddicusXeddicus Registered User regular
    edited February 2018
    Phone is saying fine. Android 6.0.

    Fire tablet says it's fine too.

    Switching to Chrome stable removes the nag screen, but like Firefox notes it's unsecure, but it also says the certificate is OK right off, but mixed content.

    Xeddicus on
  • Options
    XeddicusXeddicus Registered User regular
    Now on a totally different PC at a different location and same warning note so it seems I just never noticed the forums aren't secure and the newer versions of Chrome are more paranoid about security.

  • Options
    HevachHevach Registered User regular
    Xeddicus wrote: »
    Now on a totally different PC at a different location and same warning note so it seems I just never noticed the forums aren't secure and the newer versions of Chrome are more paranoid about security.

    After trying a few different browsers, Edge seems to give the best explanation - the cerficiate is OK, but the connection is not encrypted.

    Which explains why Chrome in particular is having a hissy, since that's the particular new expectation Chrome 68 is supposed to impose.

  • Options
    LD50LD50 Registered User regular
    So you guys are aware, the connection is encrypted. The error that you are seeing is because portions of the page (people signatures, images linked from other domains, etc) are not hosted by Vanilla, and are not covered by the certificate for the page (and thus are not encrypted). Nobody but you can read the webpage itself, but technically an attacker could see the externally hosted stuff (and potentially modify it).

    It seems like some of the page elements (the pa logo buttons at the top of the page) are hosted on the PA CDN and are triggering the warning.

  • Options
    P10P10 An Idiot With Low IQ Registered User regular
    i'm having mixed content issues even for stuff that i believe is hosted by vanilla - avatars hosted on *.v-cdn.net, which seems to have (or have had?) a security certificate when I look at cached images, are being blocked as insecure

    Shameful pursuits and utterly stupid opinions
  • Options
    P10P10 An Idiot With Low IQ Registered User regular
    at least in my case this seems to be because vanilla is using old GeoTrust/symantec issued certificates (which new versions of browsers no longer recognize as valid) for the files they host on their cdn, while the forums themselves have been moved over to the new DigiCert issued certificates

    Shameful pursuits and utterly stupid opinions
Sign In or Register to comment.