librelist archives

« back to archive

HTTPS warning on Friendica Dev forum

HTTPS warning on Friendica Dev forum

From:
Jeremy Rand
Date:
2013-02-02 @ 04:07
I'm getting an HTTPS warning in Firefox when visiting the Friendica Dev 
forum ( https://friendika.openmindspace.org/profile/friendicadevelopers 
). Here is the warning:

friendika.openmindspace.org uses an invalid security certificate.

The certificate is only valid for the following names:
   chriscase.cc , www.chriscase.cc

(Error code: ssl_error_bad_cert_domain)

Any chance this can be fixed?  I'm nervous about bypassing the warning.

Thanks.

Re: [friendica] HTTPS warning on Friendica Dev forum

From:
Fabrix Xm
Date:
2013-02-02 @ 09:15
Friendica is a distribuited network. Content in your "network" page can  be
loaded directly form you contacts' server.
As SSL certificates can be expensive, most admin uses self-generated
certificated: this allow for a secure connection, but the browser warn the
user about "invalid" certificate.
If you are nerwous about SSL warnings in your network, you can:
- avoid make contact to people on server without valid certificate
- ask server admin to fix the certificate

btw, "friendika.openmindspace.org" admin is Chris Case...

Re: [friendica] HTTPS warning on Friendica Dev forum

From:
Michael Meer
Date:
2013-02-02 @ 10:39
Hi Jeremy,

there's no need to fear the warning.
In between Chris Case installed a propper certificate signed by comodo 
(well known by your webbrowser).
So this is fixed now.

To encrypt the traffic with ssl is better as to have the traffic 
unencrypted. It's than be one more barrier that an attacker needs to 
crack. But to say it clear: is no longer that secure as it was before 
some years ago.
This is nothing with friendica its about ssl (affects all services that 
use ssl)
The instances that sign certificates called Certificate Authorities 
(CA). Every CA can create certs for specific websites.
Too much CA were hacked in the last 2 years. And the most handling of 
these incidents where not professional (from the IT-Sec perspective).

sample: https://www.google.com has a certificate from the CA of google 
(CA that is well known by your browser, you did'nt get a warning when 
you visit this website). All ok.
The Attack (man in the middle): somebody from syria want to use a 
service of google. Get a https encrypted site from google, but thats a 
fake cause syrian government has hacked the Turktrust CA and setup a 
fake google server in there firewalls / proxies. In this case the cert 
is from turktrust (hacked some month ago 
http://www.securelist.com/en/blog/208194063/TURKTRUST_CA_Problems ) then 
the syrian government is able to decrypt all traffic read all stuff, 
encrypt it once more and send this to the original google server (https 
encrypted with the google cert from google ca). In this case you don't 
get a warning either, but this is the problem. I hope inbetween that 
firefox and Micrsoft killed the turktrust ca's out of the browsers.
The diginotar ca was after the ca hack a 3/4 year still in the 
browsers.

You should not get frightend when you get a warning. you should fear 
the warnings you don't get.
Not all ca hacks were published.
And in not all cases the governments need to hack a ca, some 
governments have or coorperates with a company that owns a ca to do that 
kind of stuff.
This could kill people.

more information:
https://www.youtube.com/watch?v=m471X9iTbP4
and on a serch engine you trust.

kind regards & take care
MicMee



Am 2013-02-02 05:07, schrieb Jeremy Rand:
> I'm getting an HTTPS warning in Firefox when visiting the Friendica 
> Dev
> forum ( 
> https://friendika.openmindspace.org/profile/friendicadevelopers
> ). Here is the warning:
>
> friendika.openmindspace.org uses an invalid security certificate.
>
> The certificate is only valid for the following names:
>    chriscase.cc , www.chriscase.cc
>
> (Error code: ssl_error_bad_cert_domain)
>
> Any chance this can be fixed?  I'm nervous about bypassing the 
> warning.
>
> Thanks.

-- 
http://michael.meer.name