Hacker News new | ask | show | jobs
by overlordalex 3514 days ago
It's because they're using a stricter form of https, which fails if your company messes with the certs (I'm guessing proxy problems).

This is what it looks like for me:

> Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

    Issued To

    Common Name (CN)	blog.torproject.org
    Organisation (O)	<Not Part Of Certificate>
    Organisational Unit (OU)	<Not Part Of Certificate>

    Issued By

    Common Name (CN)	$my_company Web Gateway
    Organisation (O)	$my_company
    Organisational Unit (OU)	$my_company_infrastructure_unit
1 comments
noja 3514 days ago
How do you generate a stricter cert like this?
link
tucif 3514 days ago
Using HSTS (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/St...) From the RFC 6797 : (https://tools.ietf.org/html/rfc6797#page-27)

11.3. Using HSTS in Conjunction with Self-Signed Public-Key Certificates

   If all four of the following conditions are true...

   o  a web site/organization/enterprise is generating its own secure
      transport public-key certificates for web sites, and

   o  that organization's root certification authority (CA) certificate
      is not typically embedded by default in browser and/or operating
      system CA certificate stores, and

   o  HSTS Policy is enabled on a host identifying itself using a
      certificate signed by the organization's CA (i.e., a "self-signed
      certificate"), and

   o  this certificate does not match a usable TLS certificate
      association (as defined by Section 4 of the TLSA protocol
      specification [RFC6698]),

   ...then secure connections to that site will fail, per the HSTS
   design.  This is to protect against various active attacks, as
   discussed above.

   However, if said organization wishes to employ its own CA, and self-
   signed certificates, in concert with HSTS, it can do so by deploying
   its root CA certificate to its users' browsers or operating system CA
   root certificate stores.  It can also, in addition or instead,
   distribute to its users' browsers the end-entity certificate(s) for
   specific hosts.  There are various ways in which this can be
   accomplished (details are out of scope for this specification).  Once
   its root CA certificate is installed in the browsers, it may employ
   HSTS Policy on its site(s).
link