Hacker News new | ask | show | jobs
by bphogan 3794 days ago
Firefox refuses to let me look at this page because of a certificate problem.

Not to go off on a rant, but this is what the "everyone must use https because we said so" edict is going to cause - it's not enough you use https, it has to be the right kind of https that involves a third party issuer of certs.

Can anyone fix that issue or link to a different page please?
7 comments
liotier 3794 days ago
> Firefox refuses to let me look at this page because of a certificate problem.

Me too, but I know why: my employer's proxy MITMs any SSL connections whose certificate authority it does not recognize as bona fide. Quite aggravating - but a very nice tool to explain SSL MITM to users... There's always a silver lining !

link
JoshTriplett 3794 days ago
> whose certificate authority it does not recognize as bona fide

That's a very strange criteria; do you mean that anything that would have been a certificate error gets MITMed instead, rather than rejected? Very strange.

link
liotier 3793 days ago
Not just the self-signed ones - also some others... I wonder what the whitelist is. The proxy is the infamous McAfee Web Gateway - I don't know if the list is user-maintained or supplied by the vendor.
link
xd1936 3794 days ago
Working fine for me on Firefox/Linux. Is your system clock set right?
link
Splines 3794 days ago
I suspect there is a non-trivial number of users for whom the entire internet is broken for this simple reason.
link
wyldfire 3794 days ago
Works for me on firefox 34.0 linux. Are you sure you aren't encountering a MITM from a corporate proxy?
link
superuser2 3794 days ago
Yes it must, because self-signed carts offer no defense against MITM.
link
jessaustin 3794 days ago
To be more precise, they offer no defense against MITM on first visit. Once I've pinned a particular self-signed cert for a particular site, I'll be quite suspicious if that cert ever changes.
link
superuser2 3794 days ago
Okay, but that only helps the tiny subset of HNers who are manually pinning certs for a random website.

Further, real world MITMs are ad injection at the device (Lenovo Superfish) or ISP level, so they are persistent.

link
ZoF 3794 days ago
You can't proceed past the certificate warning?
link
bphogan 3794 days ago
I can proceed if I add an exception. But I don't know if I want to add an exception.

Edit: Clock is automatically set via OSX. Not a problem with other sites.

Firefox says

tails.boum.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)

Sooooo..... I need a root certificate of some sort then? See, this is what we get to contend with - I can't read this site because reasons. And it's up to me to find out what the reasons are I guess. Wait till this hits the masses when certs get revoked, expire, etc. :)

link
ultramancool 3794 days ago
And you shouldn't - this page uses a valid certificate for me. Either your clock is set wrong, you're missing CAs or you're being MITM'd. Verify your time, check the certificate chain on the site (should be UserTrust -> Gandi -> site) and try to check fingerprints against https://www.grc.com/fingerprints.htm if you can.
link
darkr 3794 days ago
Yeah.. That's suspicious.. Firefox uses it's own CA list, so if your install of firefox is up to date, and your system clock is correct then you are potentially being MITM'd...

If that is the case then your browser is exhibiting correct behavior.

For me, I can see that the root CA is USERTrust (SHA-384 sig, interestingly), and the server is presenting a valid intermediate (Gandi - also using a SHA-384 signature), then the site certificate (SHA-256 sig).

There is a secondary certification path though, coming from a old SHA1 AddTrust Root (but this is also in my trust store for Firefox).

link
bphogan 3794 days ago
Same results on Chrome. I am not on a corporate network - I am at home.

Are there tools I can use to work my way through this?

link
darkr 3794 days ago
Odd. Chrome also uses it's own trust store, distinct from system and Firefox..

OpenSSL is a good starting point:

openssl s_client -connect tails.boum.org:443

link
pki 3794 days ago
type 'danger' on the warning page
link
ultramancool 3794 days ago
Did you resolve this? Make sure the root that shows up on the certificate details page is UserTrust - if it's not, it's possible someone is performing MITM on you.

SHA-256 Fingerprint for tails.boum.org should be:

F8:DC:67:21:96:77:46:F5:9D:77:BD:7B:87:C1:39:42:C8:4E:4B:25:97:34:AC:E2:80:24:99:35:D9:81:9C:B6

If that doesn't match the value you see in the Firefox or Chrome certificate details page, please, send as many details about the chain as you can back, I'm very interested to see what's happening here considering you're not on a corp network and seeing this and even moreso because this is the Tails site, something that might very much interest some attackers...

link
bphogan 3794 days ago
I had a bunch of work to get to today, so I just didn't have time to mess with this.

But the problems seem to have gone away.

link
jnagro 3794 days ago
suspicious.
link
tomschlick 3794 days ago
Same with Chrome 47 on OSX
link