Hi Ronni, I have not been experiencing any of these problems myself – but I find it all very interesting stuff.
So, if I read the article correctly, they say that it it is the browser being used that allows or disallows access? So, presumably, the reason David has no problems with his SL 10.6.8 machine is down to the browsers being older and not incorporating these new security standards? However, I note that David said his problems began when he updated from 10.11 El Capitain to 10.12 Sierra – so I’m wondering if that could ALL be down to the browsers being used (Safari, Chrome & Firefox) – presumably they were not ALL simultaneously updated at the time of the OS update? So is it possible that some other aspect of the way Sierra operates that now gives the problem where there was no problem in El Capitain? I also noticed that David originally reported the problem in December – but fixed it by following your advice regarding updating certificates. When the problem resurfaced, it was reported by David on 1 January 2017 – which does tie in with the proposed start of the rejections as reported in the article. I will continue to watch David’s progress with interest. Ronni, thanks for all the wonderful advice that you so generously provide to WAMUG. Wishing you, and all WAMUG members, a healthy and happy 2017. Cheers Neil -- Neil R. Houghton Albany, Western Australia Tel: +61 8 9841 6063 Email: [email protected] on 2/1/17 6:43, Ronni Brown at [email protected] wrote: > Hello David, > > More information to help explain why you are most likely experiencing the > Error Messages > "This site can't provide a secure connection > www.google.com.au <http://www.google.com.au> doesn't adhere to security > ERR_SSL_SERVER_CERT_BAD_FORMAT” > -- > Last night I remembered I had kept an article written back in 2014, it has now > been updated. > Regarding SHA-1 signed certificates being vulnerable to attacks. > > Key points: > > * Websites and apps use a Secure Hash Algorithm, known as SHA, to encrypt and > protect data > * Security experts consider the older version SHA-1 as vulnerable > * Websites and apps will be required to use the newer version, SHA-2 > * From January 1, 2017 rejections will begin if an SHA-1 certificate is in use > — > The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms > <https://www.thesslstore.com/blog/difference-sha-1-sha-2-sha-256-hash-algorith > ms/> > — > > Websites and apps have been given the deadline of January 1, 2017 to adhere to > new security standards to minimise the risk of hacking and prevent a > "mini-Y2K", or have access to their websites taken away. > > Over the course of the year browsers like Google Chrome will require tighter > security measures if websites are going to work, or risk compatibility issues. > > Google Chrome already issues a warning onscreen to users when they visit a > website that has a SHA-1 signed certificate, informing them of the "weak > security configuration". > > But from January 2017 some browsers will begin to stop supporting SHA-1 > certificates, so users trying to access those websites will trigger a fatal > network error. > > In order to process information securely, websites and apps use a Secure Hash > Algorithm, known as SHA, to encrypt and protect data. > > The industry has agreed to phase out the older version of this algorithm, > SHA-1, as security experts consider it too vulnerable to attacks. > > Websites and apps will now be required to use the newer version, SHA-2, which > addresses the security weaknesses of SHA-1. > > But some internet security experts believe the industry is under-prepared for > the transition. > > From the start of 2017 real rejections will begin > > Mr Grimes said some people are already noticing a difference, with most > software showing an error message as of January 1 this year if a SHA-1 > certificate is in use. > > But the real rejections will begin by January 1, 2017, when browsers such as > Google Chrome will completely stop supporting SHA-1 certificates. > > http://www.abc.net.au/news/2016-01-04/new-security-standards-for-online/706642> 8 > —— > SHA-1 certificates causing errors year 2017 > <https://www.google.com.au/search?client=safari&rls=en&q=SHA-1+certifi > cates+causing+errors+year+2017&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei= > 0a9oWLjqAuzI8gfV0KXQCg> > —— > Cheers, > Ronni > > 13-inch MacBook Air (April 2014) > 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz > 8GB 1600MHz LPDDR3 SDRAM > 512GB PCIe-based Flash Storage > > macOS Sierra 10.12.2 > >> On 1 Jan 2017, at 2:35 pm, Ronda Brown <[email protected]> wrote: >> >> Forgot to mention to 'Restart your computer' after deleting or changing any >> certificates in Keychain Access. >> >> Sent from Ronni's iPad4 >> >> >> On 1 Jan 2017, at 1:54 pm, Ronni Brown <[email protected]> wrote: >> >>> Hi David, >>> >>> As I mentioned originally, I’m 99% sure that the problem will be expired >>> certificate/s in Keychain Access. >>> 1. Open ‘Keychain Access’ >>> 2. Under Keychains (in left column) - Select ‘Login’ >>> Under Category ( in left column) - Select ‘All Items’ >>> 3. In Top Menu Bar of Keychain Access > View - select ‘Show Expired >>> Certificates’ >>> 4. Type in the search field - DigiCert High and press enter/return on your >>> keyboard >>> 5. Find "DigiCert High Assurance EV Root CA" that is probably marked as >>> Expired (a red X) >>> 6. Click the expired certificate & Delete by pressing Delete on your >>> keyboard >>> >>> 7. Check if there are any other expired certificates and delete them. >>> Or Choose Keychain Access > Certificate Assistant > Evaluate (certificate >>> name) >>> If your certificate is not valid, it will have a red "x" and state the >>> reason why. >>> >>> Generally the reason is "This certificate has expired" or "This certificate >>> was signed by an unknown authority”. >>> >>> Cheers, >>> Ronni >>> >>>> On 1 Jan 2017, at 12:27 pm, David Noel <[email protected]> wrote: >>>> >>>> I'm having a problem again with connecting to popular sites on my new iMac >>>> running Sierra 10.12.2. I'm writing this on my old iMac running 10.6.8, >>>> which does not have these problems. >>>> >>>> On attempting to connect to Google, I get: >>>> >>>> This site can't provide a secure connection >>>> www.google.com.au <http://www.google.com.au/> doesn't adhere to security >>>> ERR_SSL_SERVER_CERT_BAD_FORMAT >>>> >>>> I get similar results with other https sites like Youtube, iTunes, Chrome >>>> etc. Last time I had this problem (as below), I went through my Keychain >>>> (which showed no expired certificates) and through DigiCert High to check >>>> the certificates. After checking, the services worked OK again. >>>> >>>> This time I got through to SSL Server Test >>>> (https://www.ssllabs.com/ssltest/) and checked the certificates for Google, >>>> Chrome, Apple, etc, which all came up "A" or "A-". But the new iMac still >>>> cannot connect to these sites. >>>> >>>> Other non-https sites can be accessed with Chrome, Safari, and Firefox, >>>> also some https sites like Unibank (Australian). >>>> >>>> I've also searched (on this old iMac) for people having similar problems. >>>> At >>>> >>>> https://community.rapid7.com/thread/9213, titled "Open Nexpose by use >>>> Chrome". it said: >>>> >>>> "We've seen this issue with Mac OS X Sierra in particular. It seems they >>>> have made an update to the system keychain that affects Chrome, Safari, >>>> curl, and any other applications that use the system for SSL/TLS >>>> connections. Firefox is not affected since it uses its own implementation. >>>> >>>> We are currently working on a fix in Nexpose to get around this issue, >>>> though." >>>> >>>> So it seems the problem may be in Keychain, rather than with the >>>> certificates themselves. And Firefox did not work for me. Can anyone throw >>>> any light on this, please? >>>> >>>> David Noel >>>> 2017 Jan 1 >>>> >>>> >>>> On 19 December 2016 at 16:10, Ronda Brown <[email protected]> wrote: >>>>> Hi David, >>>>> Good to hear the problem is solved. >>>>> >>>>> Merry Christmas 🎄 >>>>> >>>>> Kindest Regards, >>>>> Ronni >>>>> >>>>> Sent from Ronni's iPhone 7 Plus >>>>> >>>>> On 19 Dec 2016, at 4:01 pm, David Noel <[email protected]> wrote: >>>>> >>>>>> -- Thanks so much, Ronni, I'm not exactly sure what happened, but I >>>>>> followed your instructions till I got somehow to SSL Certificate Checker >>>>>> at >>>>>> https://www.digicert.com/help/ >>>>>> and when I typed in "google.com <http://google.com/> " it came back with >>>>>> a clear certificate, and then Google worked OK. Same for Apple and >>>>>> Youtube. >>>>>> >>>>>> -- I'm forever in awe with how you solve these problems! Sorry I >>>>>> mistakenly said my OS was El Capitan, I am on Sierra 10.12.1. I did click >>>>>> "Software Update" on "About this Mac" and it reported "No updates >>>>>> available", so maybe you have a later version from another source. >>>>>> >>>>>> All the very best, David. >>>>>> >>>>>> >>>>>> On 19 December 2016 at 15:03, Ronni Brown <[email protected]> wrote: >>>>>>> Hi David, >>>>>>> You mentioned below you are running 10.12.1 El Capitan… 10.12.1 is macOS >>>>>>> Sierra 10.12.1 & now has update 10.12.2 >>>>>>> >>>>>>> Make sure all your Browsers are current latest versions. >>>>>>> >>>>>>> Also check Keychain Access for any ‘Expired Certificates’! Especially >>>>>>> look for the one I mention below. >>>>>>> >>>>>>> • On your Mac computer, at the top right, click Spotlight search >>>>>>> <oXRAmyqwVjPaSBxVVxwuQVApSxU-lIoeyEHAoziwKOzM0W9eWveB4lr3fSd1l-Azvz8=w18 >>>>>>> -h18.png>. >>>>>>> • Enter "Keychain Access." >>>>>>> • In the results, click Keychain Access. >>>>>>> • At the top of your computer screen, click View >>>>>>> <nHFGZ_9xjCh-mP83zMzXQVJF5VYf2n6kwoBIxB2zv3V4VPT4gNTtBye8lYznogLqLPY=w13 >>>>>>> -h18.png> Show Expired Certificates. >>>>>>> • At the top right, click Search >>>>>>> <oXRAmyqwVjPaSBxVVxwuQVApSxU-lIoeyEHAoziwKOzM0W9eWveB4lr3fSd1l-Azvz8=w18 >>>>>>> -h18.png>. >>>>>>> • Type "DigiCert High" and press Enter on your keyboard. >>>>>>> • Find "DigiCert High Assurance EV Root CA" that is marked as Expired >>>>>>> <RowYeEAcxtbn5Oxt3_kapTqfOAP60OoRF1OIKp8f21ZPe2ub42GxWvM5Omm4ZfabPlE=h18 >>>>>>> .png>. Click the certificate. >>>>>>> • Delete by pressing Delete on your keyboard >>>>>>> >>>>>>> Cheers, >>>>>>> Ronni >>>>>>> >>>>>>> 13-inch MacBook Air (April 2014) >>>>>>> 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz >>>>>>> 8GB 1600MHz LPDDR3 SDRAM >>>>>>> 512GB PCIe-based Flash Storage >>>>>>> >>>>>>> macOS Sierra 10.12.2 >>>>>>> >>>>>>> On 19 Dec. 2016, at 2:25 pm, David Noel <[email protected]> wrote: Hi Ronni, no, I have no security-type software. Anything else, such as a work-around? Cheers, David. On 19 December 2016 at 14:10, Ronda Brown <[email protected]> wrote: Are you using Kaspersky security software or Avast or some such software? Sent from Ronni's iPad4 On 19 Dec. 2016, at 1:58 pm, David Noel <[email protected]> wrote: I have a new iMac which I use for most purposes, running 10.12.1 El Capitan. Since I upgraded from 10.11, I've had occasional problems where my browsers can't access Google and Apple's own sites. Error message from Chrome on accessing gmail: "this site can't provide a secure connection, mail.google.com <http://mail.google.com/> doesn't adhere to security standards". Error message from Firefox on accessing Apple: The owner of support.apple.com <http://support.apple.com/> has configured their website improperly to protect your information from being stolen, Firefox has not connected to this website". Safari did not produce an error message, but seemed unable to load certain sites. In the past, I've been able to clear this problem by Restarting, but this hasn't worked today. Has anyone any ideas on this matter? It's inconceivable that Google and Apple have the faults indicated. As I'm unable to access gmail, I'm sending this from my older machine still on 10.6.8 -- this does not have the above problem. Thanks and Merry Christmas -- David Noel >
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
