Allegro.cc - Online Community

Allegro.cc Forums » Off-Topic Ordeals » HTTPS is broken

This thread is locked; no one can reply to it. rss feed Print
 1   2 
HTTPS is broken
Eric Johnson
Member #14,841
January 2013
avatar

I'm seeing invalid certificate warnings all across allegro.cc. Anyone else?

MiquelFire
Member #3,110
January 2003
avatar

The old cert expired. So Matt needs to update it.

---
Febreze (and other air fresheners actually) is just below perfumes/colognes, and that's just below dead skunks in terms of smells that offend my nose.
MiquelFire.red | +Me
If it doesn't resolve the issue, we'll evaluate whether the latest round of anti-speculative-execution patches we've had to apply could somehow be responsible. (The performance impact of this fix is estimated to be just a couple of percent, but a banana on a football field isn't even that much and yet woe unto the quarterback who steps on it.) Gonna have to start looking at AMD CPUs. ~Owner of Nearly Free Speech.net

NiteHackr
Member #2,229
April 2002

Yup, got that as well, added an exception.

--
Deluxe Pacman 1 & 2 (free) with source code available
https://nitehackr.github.io/games_index.html

Chris Katko
Member #1,881
January 2002
avatar

I fixed it. Try now.

[edit] Seriously though, that Chrome warning is annoying as hell. >:(

[edit] You can start Chrome and disable that flag by adding

--ignore-certificate-errors

to the command line.

Of course, that affects other sites. But my company's SSL cert has been broken forever so I might do it anyway.

I imagine it'll still show the warning icon, just not the nag page.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

type568
Member #8,381
March 2007
avatar

But what if the Russians hack A.cc now, we'll never know with a broken cert! :(

OICW
Member #4,069
November 2003
avatar

type568 said:

But what if the Russians hack A.cc now, we'll never know with a broken cert! :(

We'll get plenty of Monday threads that will drive us crazy ;D

[My website][CppReference][Pixelate][Allegators worldwide][Who's online]
"Final Fantasy XIV, I feel that anything I could say will be repeating myself, so I'm just gonna express my feelings with a strangled noise from the back of my throat. Graaarghhhh..." - Yahtzee
"Uhm... this is a.cc. Did you honestly think this thread WOULDN'T be derailed and ruined?" - BAF
"You can discuss it, you can dislike it, you can disagree with it, but that's all what you can do with it"

dthompson
Member #5,749
April 2005
avatar

We might have a while to wait if Matthew says he'll check back next year - I think LetsEncrypt certs only last 3 or 4 months :P

Has anyone managed to get in touch with him?

______________________________________________________
This is my website and this is not.
This isn't a game!

NiteHackr
Member #2,229
April 2002

I think the Russians kidnapped Matthew! :o

--
Deluxe Pacman 1 & 2 (free) with source code available
https://nitehackr.github.io/games_index.html

bamccaig
Member #7,536
July 2006
avatar

I've heard he's "away" for the moment so sit tight. It might be a week or two. For all intents and purposes, the only thing we need the encryption for is login and identity.

I recommend against logging in using an A.cc account while the certificate is buggered, but otherwise it doesn't really impact us in a huge way. In theory, a man in the middle could hijack your session and post as you, or steal your A.cc account, but that doesn't accomplish much so I doubt anybody would.

I think that if you login with Google or another provider it won't be sending any passwords in plaintext so at least you won't be exposing any passwords (whereas logging directly into A.cc might). If you're already logged in to A.cc you are probably OK as long as your session doesn't expire. Again, worst case somebody hijacks your account.

NiteHackr
Member #2,229
April 2002

So if you see any posts from me you don't like, know that it wasn't me, it was Russians hacking my A.cc account.

--
Deluxe Pacman 1 & 2 (free) with source code available
https://nitehackr.github.io/games_index.html

dthompson
Member #5,749
April 2005
avatar

Neil Roy said:

So if you see any posts from me you don't like, know that it wasn't me, it was Russians hacking my A.cc account.

Coincidentally, this also applies to my noobish posts here back in the mid-00s. Entirely the fault of the Russians. You have no proof otherwise

______________________________________________________
This is my website and this is not.
This isn't a game!

Rodolfo Lam
Member #16,045
August 2015

So... shall I add a permanent exception for this site's certificate in Firefox now? What could go wrong if I do it?

bamccaig
Member #7,536
July 2006
avatar

I already described the consequences. In theory, the connection is still secure (I hope), but the certificate is no longer valid. This might make it possible for a man in the middle attack, which means your account could be hijacked (session cookies stolen, but if ML is checking IP that might not even be feasible for an existing session). If you login anew then it's possible your password could be revealed in plaintext to a man-in-the-middle. These are both probably unlikely to occur, but should be taken seriously anyway. Consider this practice for when your online bank does this. :) I'm honestly not too sure the difference between checking the "permanent" exception checkbox and not. In my experience, the connect is typically permitted afterward either way. I'm not sure if the non-permanent one expires after some time, but that would be my hope (I've always assumed it was a broken feature in Firefox).

Aaron Bolyard
Member #7,537
July 2006
avatar

Someone would still need to obtain the private key which is Very Hard(tm).

One of the reasons for certificates to expire is so if the private key is obtained it becomes useless after some time. Kind of like why some IT admins make you change your password every month or whatever.

---
ItsyRealm, a quirky 2D/3D RPG where you fight, skill, and explore in a medieval world with horrors unimaginable.

bamccaig
Member #7,536
July 2006
avatar

The concerning thing is that the phrasing of one of the browser's error messages (possibly Firefox, I'm not sure anymore) made it sound like because the certificate was no longer trusted it wasn't even used. I.e., the connection was made without encryption. I'd really like to think that was just a UI bug, and ultimately the connection was secure. Why would it not be? Using compromised encryption is no worse than plaintext. But the point is that the UI didn't explicitly communicate that yes, this connection is still being encrypted, despite the certificate not being trusted... That's a bug. There's a distinct difference between an untrusted certificate and no TLS/SSL at all.

Append:

On that same token, the cause for the distrust was not made clear. In the past, I think it used to be much more clear. Instead, it was almost like facts about the certificate were not even revealed because it wasn't trusted.

Which is well and good. Untrusted certificate, you can't be sure that the connection is secure. However, if the facts about the certificate and failure are hidden then a man-in-the-middle could intercept, fail certificate verification, and appear the same as the legit site. An expired certificate should be loudly proclaimed by the browser, but it should not be as loud as no encryption at all or a completely unverified certificate.

OICW
Member #4,069
November 2003
avatar

Oh, come on who would seriously try MITM attack on such a niche site like this ;)

[My website][CppReference][Pixelate][Allegators worldwide][Who's online]
"Final Fantasy XIV, I feel that anything I could say will be repeating myself, so I'm just gonna express my feelings with a strangled noise from the back of my throat. Graaarghhhh..." - Yahtzee
"Uhm... this is a.cc. Did you honestly think this thread WOULDN'T be derailed and ruined?" - BAF
"You can discuss it, you can dislike it, you can disagree with it, but that's all what you can do with it"

Chris Katko
Member #1,881
January 2002
avatar

MITM, maybe not. But side trivia: I can definitely attest that EVERY PUBLIC IP and port is regularly port-scanned and if anything replies, it is attacked (even on non-standard ports like RDP on a port other than 3389).

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

bamccaig
Member #7,536
July 2006
avatar

Oh man, it's amusing to view the logs for a brand new Linux server instance. There is instantly just attack attempt after attack attempt. Basically, every address on the Internet must be getting constantly assaulted, and the only thing that keeps them back are firewalls and strong passwords/secure software.

Chris Katko
Member #1,881
January 2002
avatar

bamccaig said:

firewalls and strong passwords/secure software.

Absolutely! Basically anything that's not brand new and has open ports... is pwned. [edit] SQL on any port? Pwned. RDP on any port? Pwned. Even with strong passwords, you'll see non-stop password attempts in your logs. And there's no guarantee they won't use an exploit and go "around" the password. [/edit]

I'd love to figure out how they do portals and combine that. So like, you go through a certain port, ask tell that port (over SSL) your credentials, and THEN, attempt to login through a specific port. And the server would only accept incoming requests on ports from known IP addresses, after being verified on the "gateway/portal" IP.

But how could you integrate that with other programs? Easy to make yourself but random program X, automatically making a request to the right portal.

... Maybe a virtual net driver could do it automatically? That, or I guess requiring to connect through a VPN first would count. And the VPN wouldn't actually get you "inside" the network like a traditional VPN. It would just get you to the main "external" services.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Edgar Reynaldo
Member #8,592
May 2007
avatar

This sucks for Chrome on Android. I have to go to Advanced -> proceed to allegro.cc (unsafe) on every single page I visit. :PPPP

bamccaig
Member #7,536
July 2006
avatar

I can't stand to browse the Web on a phone. I'll do it rarely if I'm desperate, but it's a miracle that I haven't thrown my phone across the room doing it. I don't know how people do it. Especially IT people.

Edgar Reynaldo
Member #8,592
May 2007
avatar

bamccaig
Member #7,536
July 2006
avatar

Edgar Reynaldo
Member #8,592
May 2007
avatar

https://www.allegro.cc/forums/thread/617459/1037960#target

https://d1cxvcw9gjxu2x.cloudfront.net/attachments/611584

{"name":"611584","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/f\/1f014b12526cae791b4a87fa7f5b9147.png","w":1202,"h":933,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/f\/1f014b12526cae791b4a87fa7f5b9147"}611584

{"name":"611584","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/f\/1f014b12526cae791b4a87fa7f5b9147.png","w":1202,"h":933,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/f\/1f014b12526cae791b4a87fa7f5b9147"}611584

<img src="https://www.allegro.cc/files/attachment/611584" />

bamccaig
Member #7,536
July 2006
avatar

XML looks broken, but the embedded version seems normal, as do the links. Unless maybe the links should not be scaled?

 1   2 


Go to: