|
This thread is locked; no one can reply to it. |
1
2
|
HTTPS is broken |
Eric Johnson
Member #14,841
January 2013
|
I'm seeing invalid certificate warnings all across allegro.cc. Anyone else?
|
MiquelFire
Member #3,110
January 2003
|
The old cert expired. So Matt needs to update it. --- |
Neil Roy
Member #2,229
April 2002
|
Yup, got that as well, added an exception. --- |
Chris Katko
Member #1,881
January 2002
|
I fixed it. Try now. [edit] Seriously though, that Chrome warning is annoying as hell. [edit] You can start Chrome and disable that flag by adding --ignore-certificate-errors to the command line. Of course, that affects other sites. But my company's SSL cert has been broken forever so I might do it anyway. I imagine it'll still show the warning icon, just not the nag page. -----sig: |
type568
Member #8,381
March 2007
|
But what if the Russians hack A.cc now, we'll never know with a broken cert!
|
OICW
Member #4,069
November 2003
|
type568 said: But what if the Russians hack A.cc now, we'll never know with a broken cert! We'll get plenty of Monday threads that will drive us crazy [My website][CppReference][Pixelate][Allegators worldwide][Who's online] |
dthompson
Member #5,749
April 2005
|
We might have a while to wait if Matthew says he'll check back next year - I think LetsEncrypt certs only last 3 or 4 months Has anyone managed to get in touch with him? ______________________________________________________ |
Neil Roy
Member #2,229
April 2002
|
I think the Russians kidnapped Matthew! --- |
bamccaig
Member #7,536
July 2006
|
I've heard he's "away" for the moment so sit tight. It might be a week or two. For all intents and purposes, the only thing we need the encryption for is login and identity. I recommend against logging in using an A.cc account while the certificate is buggered, but otherwise it doesn't really impact us in a huge way. In theory, a man in the middle could hijack your session and post as you, or steal your A.cc account, but that doesn't accomplish much so I doubt anybody would. I think that if you login with Google or another provider it won't be sending any passwords in plaintext so at least you won't be exposing any passwords (whereas logging directly into A.cc might). If you're already logged in to A.cc you are probably OK as long as your session doesn't expire. Again, worst case somebody hijacks your account. -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Neil Roy
Member #2,229
April 2002
|
So if you see any posts from me you don't like, know that it wasn't me, it was Russians hacking my A.cc account. --- |
dthompson
Member #5,749
April 2005
|
Neil Roy said: So if you see any posts from me you don't like, know that it wasn't me, it was Russians hacking my A.cc account. Coincidentally, this also applies to my noobish posts here back in the mid-00s. Entirely the fault of the Russians. You have no proof otherwise ______________________________________________________ |
Rodolfo Lam
Member #16,045
August 2015
|
So... shall I add a permanent exception for this site's certificate in Firefox now? What could go wrong if I do it?
|
bamccaig
Member #7,536
July 2006
|
I already described the consequences. In theory, the connection is still secure (I hope), but the certificate is no longer valid. This might make it possible for a man in the middle attack, which means your account could be hijacked (session cookies stolen, but if ML is checking IP that might not even be feasible for an existing session). If you login anew then it's possible your password could be revealed in plaintext to a man-in-the-middle. These are both probably unlikely to occur, but should be taken seriously anyway. Consider this practice for when your online bank does this. I'm honestly not too sure the difference between checking the "permanent" exception checkbox and not. In my experience, the connect is typically permitted afterward either way. I'm not sure if the non-permanent one expires after some time, but that would be my hope (I've always assumed it was a broken feature in Firefox). -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Erin Maus
Member #7,537
July 2006
|
Someone would still need to obtain the private key which is Very Hard(tm). One of the reasons for certificates to expire is so if the private key is obtained it becomes useless after some time. Kind of like why some IT admins make you change your password every month or whatever. --- |
bamccaig
Member #7,536
July 2006
|
The concerning thing is that the phrasing of one of the browser's error messages (possibly Firefox, I'm not sure anymore) made it sound like because the certificate was no longer trusted it wasn't even used. I.e., the connection was made without encryption. I'd really like to think that was just a UI bug, and ultimately the connection was secure. Why would it not be? Using compromised encryption is no worse than plaintext. But the point is that the UI didn't explicitly communicate that yes, this connection is still being encrypted, despite the certificate not being trusted... That's a bug. There's a distinct difference between an untrusted certificate and no TLS/SSL at all. Append: On that same token, the cause for the distrust was not made clear. In the past, I think it used to be much more clear. Instead, it was almost like facts about the certificate were not even revealed because it wasn't trusted. Which is well and good. Untrusted certificate, you can't be sure that the connection is secure. However, if the facts about the certificate and failure are hidden then a man-in-the-middle could intercept, fail certificate verification, and appear the same as the legit site. An expired certificate should be loudly proclaimed by the browser, but it should not be as loud as no encryption at all or a completely unverified certificate. -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
OICW
Member #4,069
November 2003
|
Oh, come on who would seriously try MITM attack on such a niche site like this [My website][CppReference][Pixelate][Allegators worldwide][Who's online] |
Chris Katko
Member #1,881
January 2002
|
MITM, maybe not. But side trivia: I can definitely attest that EVERY PUBLIC IP and port is regularly port-scanned and if anything replies, it is attacked (even on non-standard ports like RDP on a port other than 3389). -----sig: |
bamccaig
Member #7,536
July 2006
|
Oh man, it's amusing to view the logs for a brand new Linux server instance. There is instantly just attack attempt after attack attempt. Basically, every address on the Internet must be getting constantly assaulted, and the only thing that keeps them back are firewalls and strong passwords/secure software. -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Chris Katko
Member #1,881
January 2002
|
bamccaig said: firewalls and strong passwords/secure software. Absolutely! Basically anything that's not brand new and has open ports... is pwned. [edit] SQL on any port? Pwned. RDP on any port? Pwned. Even with strong passwords, you'll see non-stop password attempts in your logs. And there's no guarantee they won't use an exploit and go "around" the password. [/edit] I'd love to figure out how they do portals and combine that. So like, you go through a certain port, ask tell that port (over SSL) your credentials, and THEN, attempt to login through a specific port. And the server would only accept incoming requests on ports from known IP addresses, after being verified on the "gateway/portal" IP. But how could you integrate that with other programs? Easy to make yourself but random program X, automatically making a request to the right portal. ... Maybe a virtual net driver could do it automatically? That, or I guess requiring to connect through a VPN first would count. And the VPN wouldn't actually get you "inside" the network like a traditional VPN. It would just get you to the main "external" services. -----sig: |
Edgar Reynaldo
Major Reynaldo
May 2007
|
This sucks for Chrome on Android. I have to go to Advanced -> proceed to allegro.cc (unsafe) on every single page I visit. PPP My Website! | EAGLE GUI Library Demos | My Deviant Art Gallery | Spiraloid Preview | A4 FontMaker | Skyline! (Missile Defense) Eagle and Allegro 5 binaries | Older Allegro 4 and 5 binaries | Allegro 5 compile guide |
bamccaig
Member #7,536
July 2006
|
I can't stand to browse the Web on a phone. I'll do it rarely if I'm desperate, but it's a miracle that I haven't thrown my phone across the room doing it. I don't know how people do it. Especially IT people. -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Edgar Reynaldo
Major Reynaldo
May 2007
|
Anybody notice that img tags are broken too? At least for attachments. My Website! | EAGLE GUI Library Demos | My Deviant Art Gallery | Spiraloid Preview | A4 FontMaker | Skyline! (Missile Defense) Eagle and Allegro 5 binaries | Older Allegro 4 and 5 binaries | Allegro 5 compile guide |
bamccaig
Member #7,536
July 2006
|
I have not. Link? -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
bamccaig
Member #7,536
July 2006
|
XML looks broken, but the embedded version seems normal, as do the links. Unless maybe the links should not be scaled? -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
|
1
2
|