Bitcoin Forum
November 20, 2018, 08:59:59 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: beta.bitcointalk.org TLS misconfiguration  (Read 333 times)
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 03, 2017, 09:30:32 PM
 #1

When trying to access https://beta.bitcointalk.org/, I get the following error:

Quote
beta.bitcointalk.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

That is with current Tor Browser, and whatever roots it bundles (mostly (?) inherited from Firefox).  As observed through multiple different Tor circuits over a period of several hours, the same certificate presents with the following properties.  I would guess that its chain is not properly configured on the webserver.

Quote
SHA-256 Fingerprint:
B9:C3:72:FE:A8:82:A1:C2:9D:A0:E3:A0:43:16:82:CC:29:2A:4A:EA:C7:9F:35:74:A0:C9:6B:63:F7:B5:3F:AD

Serial: 52:21:72:CD:C8:F4:6E:17:BC:66:A0:17:89:4E:DD:E0
CN: beta.bitcointalk.org

Issuer CN: COMODO RSA Domain Validation Secure Server CA
Issuer O: COMODO CA Limited

Validity Begins: 2017-06-25
Validity Ends: 2018-06-27

N.b. also, epochtalk.org apparently does not have TLS at all.  Failure to connect; port 443 not listening?

1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
1542747599
Hero Member
*
Offline Offline

Posts: 1542747599

View Profile Personal Message (Offline)

Ignore
1542747599
Reply with quote  #2

1542747599
Report to moderator
Wangbus
Staff
Member
**
Offline Offline

Activity: 110
Merit: 11

Principal at Slickage


View Profile
December 05, 2017, 12:34:37 AM
 #2

Thanks for pointing this out. We will have this fixed in the near future. As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 05, 2017, 01:22:02 AM
 #3

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Is this reported at all in other browsers, or are Bitcoin users (who should know better) clicking through browser warnings as they never, never, ever should?  I’m guessing that at least all Firefox users get the same warning.  I guess also I could fiddle with s_client and figure out what the problem actually is...

As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.

Hey, it’s a cypherpunk thing!  (grin)  Encrypt the whole Internet.  A free certificate from letsencrypt.org, a few minutes twiddling the webserver, use public-key crypto to control your personal fortune...  It all fits together, no matter whether a site is static or not.  N.b. that injected Javascript can harm users, even on static sites.  In the wild:  NSA does it, some ISPs do it, and skiddies with firesheep on the wifi do it, too.  TLS is needed on every site.

Wangbus
Staff
Member
**
Offline Offline

Activity: 110
Merit: 11

Principal at Slickage


View Profile
December 06, 2017, 12:54:37 AM
 #4

Absolutely right. I will give an update on the next deployment update.

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Is this reported at all in other browsers, or are Bitcoin users (who should know better) clicking through browser warnings as they never, never, ever should?  I’m guessing that at least all Firefox users get the same warning.  I guess also I could fiddle with s_client and figure out what the problem actually is...

As for epochtalk.org, this is actually static content so there is no need for SSL at the moment.

Hey, it’s a cypherpunk thing!  (grin)  Encrypt the whole Internet.  A free certificate from letsencrypt.org, a few minutes twiddling the webserver, use public-key crypto to control your personal fortune...  It all fits together, no matter whether a site is static or not.  N.b. that injected Javascript can harm users, even on static sites.  In the wild:  NSA does it, some ISPs do it, and skiddies with firesheep on the wifi do it, too.  TLS is needed on every site.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 06, 2017, 01:38:47 AM
 #5

Absolutely right. I will give an update on the next deployment update.

I look forward to that!  Cheers.

MainIbem
Sr. Member
****
Offline Offline

Activity: 546
Merit: 258



View Profile WWW
December 06, 2017, 05:14:12 PM
 #6

When trying to access https://beta.bitcointalk.org/, I get the following error:

Quote
beta.bitcointalk.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

That is with current Tor Browser, and whatever roots it bundles (mostly (?) inherited from Firefox).  As observed through multiple different Tor circuits over a period of several hours, the same certificate presents with the following properties.  I would guess that its chain is not properly configured on the webserver.

Quote
SHA-256 Fingerprint:
B9:C3:72:FE:A8:82:A1:C2:9D:A0:E3:A0:43:16:82:CC:29:2A:4A:EA:C7:9F:35:74:A0:C9:6B:63:F7:B5:3F:AD

Serial: 52:21:72:CD:C8:F4:6E:17:BC:66:A0:17:89:4E:DD:E0
CN: beta.bitcointalk.org

Issuer CN: COMODO RSA Domain Validation Secure Server CA
Issuer O: COMODO CA Limited

Validity Begins: 2017-06-25
Validity Ends: 2018-06-27

N.b. also, epochtalk.org apparently does not have TLS at all.  Failure to connect; port 443 not listening?
So many persons are complaining of similar errors. I am yet to understand this beta.bitcointalk.org. Is it a new version of the bitcointalk? When will it take effect?



███             ▄▄▄███████▄▄▄          ████                   ████          ▄▄▄███████▄▄▄         
███         ▄███████████████████▄       ████                 ████       ▄███████████████████▄     
███       ▄██████▀▀       ▀▀██████▄      ████               ████      ▄██████▀▀       ▀▀██████▄   
███      █████▀               ▀█████      ████             ████      █████▀               ▀█████ 
███    ▐████▀                   ▀████▌     ████           ████     ▐████▀                   ▀████▌
███    ████▌                     ▐████      ████         ████      ████▌                     ▐████
███    ████                       ████       ████       ████       ████                       ████
███    ████                       ████        ████     ████        ████                       ████
███    ████▌                     ▐████         ████   ████         ████▌                     ▐████
███    ▐████▄                   ▄████▌          ████ ████          ▐████▄                   ▄████▌
███      █████▄               ▄█████             ███████             █████▄               ▄█████ 
███       ▀██████▄▄       ▄▄██████▀               █████               ▀██████▄▄       ▄▄██████▀   
███         ▀███████████████████▀                  ███                  ▀███████████████████▀     
███             ▀▀▀███████▀▀▀                       █                       ▀▀▀███████▀▀▀         
INTERNET OF VALUE OMNILEDGER
|
   
THE FIRST DECENTRALIZED
HUMAN VALUE BLOCKCHAIN NETWORK
   
 
|


             ▄████▄▄   ▄
█▄          ██████████▀▄
███        ███████████▀
▐████▄     ██████████▌
▄▄██████▄▄▄▄█████████▌
▀████████████████████
  ▀█████████████████
  ▄▄███████████████
   ▀█████████████▀
    ▄▄█████████▀
▀▀██████████▀
    ▀▀▀▀▀
M
 

             █▀▀▀▄▄▄██▄
             █     ▀██▀
            █
         ▄▄▄█▄▄▄
 ████▄▄███████████▄▄████
▐██████▀▀███████▀▀██████▌
 ▀████    █████    ████▀
  ████▄  ▄█████▄  ▄████
  ▀███████████████████▀
   ▀████▄▀█████▀▄████▀
     ▀▀███▄▄▄▄▄███▀▀
         ▀▀▀▀▀▀▀
 

    ▄█████
   ████▀▀▀
   ████
   ████
██████████
▀▀▀████▀▀
   ████
   ████
   ████
   ████
   ████
   ▀▀▀▀
|
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
February 07, 2018, 03:14:51 AM
 #7

Thanks for pointing this out. We will have this fixed in the near future.

Thanks for your attention to security!  I will look forward to checking out the beta site.

Over two months later, I am still receiving exactly the same error as described in my OP.  The certificate SHA-256 fingerprint is the same.  Apparently, nothing changed.

I was waiting for this to be fixed; and then...  I hadn’t tried it in awhile.  It occurred to me that I should give it a spin, and test to make sure that the new forum software will be functionally usable with Javascript disabled.

But I still can’t even get in without blindly clicking through the very same warnings as I lecture newbies to never, ever, ever click through.  How are people testing this?  I can’t be the only one hitting this problem.  Are people with similar browsers just clicking through the warnings?


So many persons are complaining of similar errors.

...as I was saying.  So, what are all these people doing?  Clicking through the scary warning which is scary for a reason, or just not testing?  Is the new software being substantially tested only by people who happen to use the same browser as the Slickage devs?  For the record, my browser (Tor Browser) is essentially Firefox (currently 52 ESR) with some anonymity stuff bolted on.  Firefox is a browser with significant market share.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!