Bitcoin Forum
November 16, 2024, 08:25:49 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: beta.bitcointalk.org TLS misconfiguration  (Read 421 times)
nullius (OP)
Copper Member
Hero Member
*****
Offline Offline

Activity: 630
Merit: 2614


If you don’t do PGP, you don’t do crypto!


View Profile WWW
December 03, 2017, 09:30:32 PM
 #1

When trying to access https://beta.bitcointalk.org/, I get the following error:

Quote
beta.bitcointalk.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

That is with current Tor Browser, and whatever roots it bundles (mostly (?) inherited from Firefox).  As observed through multiple different Tor circuits over a period of several hours, the same certificate presents with the following properties.  I would guess that its chain is not properly configured on the webserver.

Quote
SHA-256 Fingerprint:
B9:C3:72:FE:A8:82:A1:C2:9D:A0:E3:A0:43:16:82:CC:29:2A:4A:EA:C7:9F:35:74:A0:C9:6B:63:F7:B5:3F:AD

Serial: 52:21:72:CD:C8:F4:6E:17:BC:66:A0:17:89:4E:DD:E0
CN: beta.bitcointalk.org

Issuer CN: COMODO RSA Domain Validation Secure Server CA
Issuer O: COMODO CA Limited

Validity Begins: 2017-06-25
Validity Ends: 2018-06-27

N.b. also, epochtalk.org apparently does not have TLS at all.  Failure to connect; port 443 not listening?

Wangbus
Member
**
Offline Offline

Activity: 110
Merit: 11

Principal Software Engineer


View Profile
December 05, 2017, 12:34:37 AM
 #2

Thanks for pointing this out. We will have this fixed in the near future. As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.
nullius (OP)
Copper Member
Hero Member
*****
Offline Offline

Activity: 630
Merit: 2614


If you don’t do PGP, you don’t do crypto!


View Profile WWW
December 05, 2017, 01:22:02 AM
 #3

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Is this reported at all in other browsers, or are Bitcoin users (who should know better) clicking through browser warnings as they never, never, ever should?  I’m guessing that at least all Firefox users get the same warning.  I guess also I could fiddle with s_client and figure out what the problem actually is...

As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.

Hey, it’s a cypherpunk thing!  (grin)  Encrypt the whole Internet.  A free certificate from letsencrypt.org, a few minutes twiddling the webserver, use public-key crypto to control your personal fortune...  It all fits together, no matter whether a site is static or not.  N.b. that injected Javascript can harm users, even on static sites.  In the wild:  NSA does it, some ISPs do it, and skiddies with firesheep on the wifi do it, too.  TLS is needed on every site.

Wangbus
Member
**
Offline Offline

Activity: 110
Merit: 11

Principal Software Engineer


View Profile
December 06, 2017, 12:54:37 AM
 #4

Absolutely right. I will give an update on the next deployment update.

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Is this reported at all in other browsers, or are Bitcoin users (who should know better) clicking through browser warnings as they never, never, ever should?  I’m guessing that at least all Firefox users get the same warning.  I guess also I could fiddle with s_client and figure out what the problem actually is...

As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.

Hey, it’s a cypherpunk thing!  (grin)  Encrypt the whole Internet.  A free certificate from letsencrypt.org, a few minutes twiddling the webserver, use public-key crypto to control your personal fortune...  It all fits together, no matter whether a site is static or not.  N.b. that injected Javascript can harm users, even on static sites.  In the wild:  NSA does it, some ISPs do it, and skiddies with firesheep on the wifi do it, too.  TLS is needed on every site.
nullius (OP)
Copper Member
Hero Member
*****
Offline Offline

Activity: 630
Merit: 2614


If you don’t do PGP, you don’t do crypto!


View Profile WWW
December 06, 2017, 01:38:47 AM
 #5

Absolutely right. I will give an update on the next deployment update.

I look forward to that!  Cheers.

MainIbem
Sr. Member
****
Offline Offline

Activity: 1540
Merit: 471


Get $2100 deposit bonuses & 60 FS


View Profile WWW
December 06, 2017, 05:14:12 PM
 #6

When trying to access https://beta.bitcointalk.org/, I get the following error:

Quote
beta.bitcointalk.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

That is with current Tor Browser, and whatever roots it bundles (mostly (?) inherited from Firefox).  As observed through multiple different Tor circuits over a period of several hours, the same certificate presents with the following properties.  I would guess that its chain is not properly configured on the webserver.

Quote
SHA-256 Fingerprint:
B9:C3:72:FE:A8:82:A1:C2:9D:A0:E3:A0:43:16:82:CC:29:2A:4A:EA:C7:9F:35:74:A0:C9:6B:63:F7:B5:3F:AD

Serial: 52:21:72:CD:C8:F4:6E:17:BC:66:A0:17:89:4E:DD:E0
CN: beta.bitcointalk.org

Issuer CN: COMODO RSA Domain Validation Secure Server CA
Issuer O: COMODO CA Limited

Validity Begins: 2017-06-25
Validity Ends: 2018-06-27

N.b. also, epochtalk.org apparently does not have TLS at all.  Failure to connect; port 443 not listening?
So many persons are complaining of similar errors. I am yet to understand this beta.bitcointalk.org. Is it a new version of the bitcointalk? When will it take effect?

█████
██
██
██
██
██
██
██
██
██
██
██
█████

...........▄▄▄██████▄▄
.▄██▄..▄▄███▀▀▀...▀▀███▄
.............█▄█.▄.............▄▄▄
..▀██████▀
...........███▄.............▄▀▀▀...........▄██▀.█...............▄█
...▄████
..............███............███.............██..█...............▄██
..██▀.▀██
............███▀...........▄▄▄...▄▄.▄▄▄▄...███.█▄▄......▄▄▄▄..▄▄██▄▄▄▄
.██▀...▀██
..........███▀.▄▄█▀▀██▄...███..▄██▀▀▀███..███▀▀███...▄██▀▀██...██
███
.....███..▄▄▄▄████▀.▄██▀...██▀..███...██▀...██▀.███....██..██▀.▄██▀..███
██.▄
.....██.████▀▀▀...▄██▄...██▀..▄██▀..███...███..██....██▀.█████▀...▄███
██▄▀█...▄██..▀███
.....▀█████▀██████████▀██...██████▀█████████▀▀██▄▄▄██▀▀███▄▄▄██▀
.███▄▄▄███
....▀███▄.....▀▀▀...▀▀...▀▀▀..▀▀.....▀▀....▀▀▀▀▀......▀▀▀▀......▀▀▀▀
..▀▀███▀▀
.......▀███▄▄....▄▄
..................▀▀███████▀
.......................▀▀

 ▄▄▄▄▄▄▄▄░░░░░░▄▄▄██▄
██████████████████████▄
██████████████████████▀
█████████████████████
██████▀▀▀▀██████████
▀████░░░▄██████████
░░░░░░░▄██████████
░░░░░░███████████▀
░░░░▄████████████
░░░▄████████████▀
░░░█████████████
█████
██
██
██
██
██
██
██
██
██
██
██
█████

UP TO
60 FS
█████
██
██
██
██
██
██
██
██
██
██
██
█████
█████████████

PLAY NOW

████████████
█████
██
██
██
██
██
██
██
██
██
██
██
█████
nullius (OP)
Copper Member
Hero Member
*****
Offline Offline

Activity: 630
Merit: 2614


If you don’t do PGP, you don’t do crypto!


View Profile WWW
February 07, 2018, 03:14:51 AM
 #7

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Over two months later, I am still receiving exactly the same error as described in my OP.  The certificate SHA-256 fingerprint is the same.  Apparently, nothing changed.

I was waiting for this to be fixed; and then...  I hadn’t tried it in awhile.  It occurred to me that I should give it a spin, and test to make sure that the new forum software will be functionally usable with Javascript disabled.

But I still can’t even get in without blindly clicking through the very same warnings as I lecture newbies to never, ever, ever click through.  How are people testing this?  I can’t be the only one hitting this problem.  Are people with similar browsers just clicking through the warnings?


So many persons are complaining of similar errors.

...as I was saying.  So, what are all these people doing?  Clicking through the scary warning which is scary for a reason, or just not testing?  Is the new software being substantially tested only by people who happen to use the same browser as the Slickage devs?  For the record, my browser (Tor Browser) is essentially Firefox (currently 52 ESR) with some anonymity stuff bolted on.  Firefox is a browser with significant market share.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!