On 08.03.2012 23:02, Marco wrote: > Dear list, > > I want to mention some problems I faced with the awesome home page. > I'm on linux and mainly use chromium as my main browser. The good > thing first: I am able to enter the home page and the wiki. However, > when I try to enter the bugs page¹, the following message appears: > > The server's security certificate is revoked! > > You attempted to reach awesome.naquadah.org, but the certificate > that the server presented has been revoked by its issuer. > This means that the security credentials the server presented > absolutely should not be trusted. You may be communicating with an > attacker. You should not proceed. > > I'm no expert in network security, but my understanding of things is > that certificates cost money. Awesome is not willing to pay the > money, so they issue their own certificates. In theory everybody > could do that, also a malicious site, that's why the browser warns > that the certificate is not trusted. > > But what does it mean, that the certificate has been revoked by the > issuer? Naquadah, the hoster of the awesome home page, issued the > certificate and revoked it afterwards? I don't quite understand > what's going on with this certificate. > > And honestly, I don't really care. I trust the awesome home page. I > believe that entering the page will not nuke my computer. But the > point is that it is *impossible* to enter. The only option is a > “back” button. I cannot enter the page even if I know that it could > be a risk. That is a major burden for the ordinary user. Firefox has > a similar issue with the small, but important, difference that it > offers a button “I understand the risk, but still want to enter”. In > short, with firefox it is annoying, but possible to enter the page, > with chromium it is impossible.
> I tried to play with some settings, but didn't find something > obvious to fix it. Maybe there is an easy fix (please don't keep it > for yourself and share your knowledge). Go to your browser's address bar. The URL starts with "https://";. Replace that with "http://";. Your connection is no longer encrypted and passive attacks are now possible, but at least the webpage works. > BTW: The awesome bug page is not the only affected site, some links² > of the awesome blog³ are also affected. Wow. This is the first justified mail that I read. Anyway: $ LC_ALL=C wget https://naquadah.org --2012-03-08 23:16:51-- https://naquadah.org/ Resolving naquadah.org (naquadah.org)... 212.85.154.174, 2a02:2178:2:4::174 Connecting to naquadah.org (naquadah.org)|212.85.154.174|:443... connected. ERROR: The certificate of `naquadah.org' is not trusted. ERROR: The certificate of `naquadah.org' hasn't got a known issuer. The certificate's owner does not match hostname `naquadah.org' So the certificate doesn't match the host name that is requested. Here is the (AFAIK full) print of the cert: $ gnutls-cli --print-cert --port 443 naquadah.org | openssl x509 -text Certificate: Data: Version: 1 (0x0) Serial Number: f8:60:4e:45:c0:95:36:33 Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=Paris, L=Paris, O=Naquadah Network, CN=ssl.naquadah.org/[email protected] Validity Not Before: May 15 18:17:48 2008 GMT Not After : May 13 18:17:48 2018 GMT Subject: C=FR, ST=Paris, L=Paris, O=Naquadah Network, CN=ssl.naquadah.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d3:ca:93:b6:ce:8d:41:74:7d:9b:a5:dd:d0:a9: 6e:ac:16:58:db:75:72:40:1c:fd:db:d6:b2:00:19: fa:a3:c1:86:31:a9:b0:3e:28:f7:41:4f:b9:a2:e5: ac:f8:8f:4e:b5:61:16:77:87:a9:e1:78:9a:ae:a2: be:a6:fe:f8:15:a0:0f:fd:c1:81:4e:df:3a:d8:ab: cd:e3:36:78:ef:fd:f4:4a:db:7d:4c:22:66:81:c2: 42:da:56:c2:5a:5f:8f:cc:fd:a3:22:e3:57:cf:0c: 79:33:e5:f2:bc:0f:23:a1:a2:68:be:41:4a:c5:e8: 43:6d:31:e0:6c:7a:bd:df:9d Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6e:28:09:56:c0:96:4a:17:ef:6f:61:dc:b1:58:cc:3a:07:10: 12:9a:c0:00:d1:8b:78:ca:a7:4f:f3:f1:e0:e1:5f:04:8f:1f: ae:7c:28:16:8d:4a:2f:5e:56:aa:f8:93:ae:06:4a:b7:df:1d: 82:3e:93:ed:36:a8:03:46:41:d9:6e:f6:da:b8:1b:33:fe:81: e5:c8:fb:d8:6b:6e:30:2f:66:5c:4d:90:61:23:98:fd:24:12: 27:20:82:25:cc:d9:54:04:23:31:4c:c3:95:d6:e7:f6:f2:5e: 1d:a1:ae:24:ee:f8:4a:0c:95:86:e2:96:48:20:53:63:ae:62: bf:28 -----BEGIN CERTIFICATE----- MIICgTCCAeoCCQD4YE5FwJU2MzANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC RlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEZMBcGA1UEChMQTmFx dWFkYWggTmV0d29yazEZMBcGA1UEAxMQc3NsLm5hcXVhZGFoLm9yZzEfMB0GCSqG SIb3DQEJARYQYWRtQG5hcXVhZGFoLm9yZzAeFw0wODA1MTUxODE3NDhaFw0xODA1 MTMxODE3NDhaMIGEMQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNV BAcTBVBhcmlzMRkwFwYDVQQKExBOYXF1YWRhaCBOZXR3b3JrMRkwFwYDVQQDExBz c2wubmFxdWFkYWgub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1AbmFxdWFkYWgub3Jn MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTypO2zo1BdH2bpd3QqW6sFljb dXJAHP3b1rIAGfqjwYYxqbA+KPdBT7mi5az4j061YRZ3h6nheJquor6m/vgVoA/9 wYFO3zrYq83jNnjv/fRK231MImaBwkLaVsJaX4/M/aMi41fPDHkz5fK8DyOhomi+ QUrF6ENtMeBser3fnQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG4oCVbAlkoX729h 3LFYzDoHEBKawADRi3jKp0/z8eDhXwSPH658KBaNSi9eVqr4k64GSrffHYI+k+02 qANGQdlu9tq4GzP+geXI+9hrbjAvZlxNkGEjmP0kEicggiXM2VQEIzFMw5XW5/by Xh2hriTu+EoMlYbilkggU2OuYr8o -----END CERTIFICATE----- Let's compare this with google.com's cert: [...] X509v3 Subject Alternative Name: DNS:*.google.com, DNS:google.com, DNS:*.atggl.com, DNS:*.youtube.com, DNS:youtube.com, DNS:*.youtube-nocookie.com, DNS:youtu.be, DNS:*.ytimg.com, DNS:*.google.com.br, DNS:*.google.co.in, DNS:*.google.es, DNS:*.google.co.uk, DNS:*.google.ca, DNS:*.google.fr, DNS:*.google.pt, DNS:*.google.it, DNS:*.google.de, DNS:*.google.cl, DNS:*.google.pl, DNS:*.google.nl, DNS:*.google.com.au, DNS:*.google.co.jp, DNS:*.google.hu, DNS:*.google.com.mx, DNS:*.google.com.ar, DNS:*.google.com.co, DNS:*.google.com.vn, DNS:*.google.com.tr, DNS:*.android.com, DNS:android.com, DNS:*.googlecommerce.com, DNS:*.url.google.com, DNS:*.googletagmanager.com, DNS:googletagmanager.com, DNS:*.urchin.com, DNS:urchin.com, DNS:*.google-analytics.com, DNS:google-analytics.com, DNS:*.cloud.google.com [...] These alt names make the certificate valid for more than just its subject's common name. No idea how much fixing the above helps, but it might be worth a try. Also, I guess we should change all https-URLs to http ones. Which makes me wonder: Where did the https come from? Uli -- "For saving the Earth.. and eating cheesecake!" -- To unsubscribe, send mail to [email protected].
