Security certificate errors

Quite often while browsing ComputerCraft Forums, I get a little popup on my browser(tested on OLD IE, and newest Chrome) that says there was an issue with the security certificates. I tried examining them, but it kept having issues doing so.
Is there a new issue with the website?

Hmm. When I try to access the https:// version of the website, I get (in Firefox)

Secure Connection Failed
An error occurred during a connection to computercraft.info.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

RunasSudo, on 18 January 2013 - 02:03 PM said:

Hmm. When I try to access the https:// version of the website - snip -

I just get "Safari can't open this page"

TheOriginalBIT, on 18 January 2013 - 02:05 PM said:

I just get "Safari can't open this page"

And that is why you use Firefox. It actually tells you the problem.

RunasSudo, on 18 January 2013 - 02:32 PM said:

TheOriginalBIT, on 18 January 2013 - 02:05 PM said:

I just get "Safari can't open this page"

And that is why you use Firefox. It actually tells you the problem.

Well it does give a reason, its just in smaller text…. "Safari can't open this page <url> because Safari can't establish a secure connection to the server 'www.computercraft.info'"

TheOriginalBIT, on 18 January 2013 - 02:41 PM said:

Well it does give a reason, its just in smaller text…. "Safari can't open this page <url> because Safari can't establish a secure connection to the server 'www.computercraft.info'"

That's a pathetic excuse for a reason. :P/>
Safari: "We couldn't make a secure connection"
FF: "SSL received a record that exceeded the maximum permissible length."

RunasSudo, on 18 January 2013 - 02:42 PM said:

That's a pathetic excuse for a reason. :P/>

Hey thats just Apple. They try to make it easy for the End User, not people like us. The average user would read that FF one and be "WTF?!"…

And that's why I avoid affiliating with average users, they expect me to talk like that too! :)/>

I've never gotten this error, and I haven't connected by https.

Dlcruz129, on 18 January 2013 - 03:28 PM said:

and I haven't connected by https

There's your problem! We're investigating why the https version of the site doesn't work.

The reason SSL doesn't work is because the server isn't actually initiating a correct SSL connection - probably because it's not configured. A quick test with openssl s_client yields the following.

neko@azunyan:~$ openssl s_client -connect computercraft.info:443

CONNECTED(00000003)
140523489707680:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

RunasSudo, on 18 January 2013 - 03:51 PM said:

Dlcruz129, on 18 January 2013 - 03:28 PM said:

and I haven't connected by https

There's your problem! We're investigating why the https version of the site doesn't work.

Why would you connect via https? It's not like you submit any personal info or anything.

Dlcruz129, on 18 January 2013 - 04:34 PM said:

Why would you connect via https? It's not like you submit any personal info or anything.

To make the post you did, you sent your username, password, and 9 cookies containing various state info including a password hash.

It's always best practice to connect using https by default and only fall back to http if it doesn't work.
If you encrypt nothing but one thing, that one thing is clearly something you are trying to hide. If you encrypt everything, even that bit of info isn't determinable.
The https_everywhere plugin even handles this automatically for you.

Woah, I wasn't talking ANYTHING like https….
I was talking about the security certificate. Some sites have them, verifying that you are on the page that you are supposed to be…or something…I don't know anything about websites, or how they are written, I was just posting something I thought needed to be addressed.

Cranium, on 18 January 2013 - 05:59 PM said:

Woah, I wasn't talking ANYTHING like https….
I was talking about the security certificate. Some sites have them, verifying that you are on the page that you are supposed to be…or something…I don't know anything about websites, or how they are written, I was just posting something I thought needed to be addressed.

Check this out: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

Everything you want to know about certificates, and everything you don't give a shit about.

Cranium, on 18 January 2013 - 05:59 PM said:

Woah, I wasn't talking ANYTHING like https….
I was talking about the security certificate.

Sorry, but that is too funny not to quote ;}

"I wasn't talking anything like encryption… I was talking about the encryption"

I was talking not about the SSL, I was only talking about the certificate…..

Cranium, on 18 January 2013 - 07:08 PM said:

I was talking not about the SSL, I was only talking about the certificate…..

It isn't possible to see/use/anything the certificate without SSL. SSL is the means certificates are exchanged, viewed, and used.

dissy, on 18 January 2013 - 07:10 PM said:

It isn't possible to see/use/anything the certificate without SSL. SSL is the means certificates are exchanged, viewed, and used.

Considering I said I have NO IDEA how websites are made, I guess I will not be able to convey what happened….

Cranium, on 18 January 2013 - 07:20 PM said:

dissy, on 18 January 2013 - 07:10 PM said:

It isn't possible to see/use/anything the certificate without SSL. SSL is the means certificates are exchanged, viewed, and used.

Considering I said I have NO IDEA how websites are made, I guess I will not be able to convey what happened….

Certificates aren't used except in secure connections (HTTPS/SSL). If your browser is even trying to get a certificate and you're not using HTTPS, there's a problem on your end.

Bam, finally caught that little bugger in the act. This is the issue I'm having. I believe it has something to do with the ads.

If you used Chrome or Firefox it would give you more information such as what caused the error :P/>

And ads don't break a security certificate.

Well, when I clicked on it, it actually crashed my IE. I know I should be using Chrome or Firefox, but I'm at work, and they don't allow other unapproved software. Either way, I have had this message before on other sites, and it always had to do with errors in displaying ads. Otherwise, the site would always display that.

Ooh, I just noticed that ads are through Google Ad services. And I had the option to +1 an ad. Perhaps that is how it's querying the SSL?

Your work could be using a proxy and the proxy could be screwing with the SSL connection or the verification.
When you next get the error can you check what domain it's regarding? Also check the SSL Chain.

Gobbledeegook. I have no idea what you said. I know Lua, not much else.

This isn't our fault - it means a third party content provider (for example, image hosting, etc) has a bad SSL certificate (somehow), and Internet Exploder is warning you that there is content on the page that is affected by that particular bad SSL certificate.

A general example of a cause for an error like that is when someone is intercepting traffic - if you are behind a work network, they may be altering SSL traffic in order to inspect your data (it's pretty industry standard), and therefore issue you with a "fake" or "tampered" certificate on behalf of the website you were actually visiting (and I'm not explaining how the rest of that works), however, they don't always reconstruct certificates correctly - which is a trivial issue, and you may have inadvertently found a certificate that does throw a spanner in the works.

I doubt it is the ads, but I'll look into it.

Meh, thought it was worth noting, since I know next to nothing about how websites are constructed. I saw an error, and thought it whould be addressed. Glad to see you're on it though.

I noticed the URL in your browser is a forum thread.

Not only are ads pulled in off-site, but also the images from every posters signature on that page of posts.
The problem could be with either one.

If you get that warning consistently on a certain page of a thread for a time (until more posts are made and that users sig moves to the next page), it might be a sig image.

Ads I would imagine are different each time, so would be much more inconsistent.
I wouldn't have noticed an ad problem, as I run AdBlocker+ (Apologies to Cloudy and Dan for that, but I did just order some turtles to make up for it!)

Of course if your work place is intercepting encrypted traffic by spoofing certificates, that could be breaking it too.
As an IT manager myself, I personally would never lower myself to such a practice, so I'm not too familiar with the software that does this… But I do have an understanding how it works, and basically the only thing that must look different in the certificate is the "signed by" field of the certificate authority (this can't be spoofed)
However IE is specially made to accept and trust the certificate on your work domain controller as much as any websites. (Technically it trusts the corporate domain controller cert even MORE than any website.. but that wouldn't matter here)

If that was the case however, I'd imagine you would get that warning either a whole lot more frequent, or never at all.

Nah, it can't be the images, since it happens randomly. I do think it's the ads, since I am logged into my Gmail account, and it is querying that. Kinda like with what Afterlifelochie was saying, the proxy my work uses must be doing some funkiness to the certificates.

Cranium, on 23 January 2013 - 12:47 PM said:

Nah, it can't be the images, since it happens randomly. I do think it's the ads, since I am logged into my Gmail account, and it is querying that. Kinda like with what Afterlifelochie was saying, the proxy my work uses must be doing some funkiness to the certificates.

That is the most likely cause. SSL certificates on a web server need to be renewed every year, as they contain an expiration date.
(Even true if you pay for say 10 years up front. You get a cert good for 1 year, then at the end of that time you simply get your next years cert without paying again)

I can totally see an Ad hoster either skimping on bills, not having the thought to renew or check for expiration, or even trying to do some self-signed certificate to avoid paying. (Or any combination of the above!)
Normally these conditions show a specific message. Certificate expired or such. For self-signed certs, most browsers show a horrible danger page of warning, almost implying a self-signed cert is worse off than not having any encryption at all! You've likely seen that before.

But combined with a proxy server re-writing the certificates, $deity only knows how it would muck that up!
I can also totally see the proxy doing something stupid, like retaining an expiration date of 2012, but setting the creation date to today. Or just choking on a required field.
Any of that would cause a nondescript error like you're getting.

Google would never let their SSL certs expire, they're the ones who issue them (Yes, Google is a certificate authority).

The following things could be happening:

• Someone's signature is connecting to a secure URL that has a expired certificate
• Your place of proxy is messing with the certificate
• Your browser has a old/outdated list of trusted certificate authorities.
• Internet Explorer is worthless

And for the admins, I would recommend installing a SSL cert from StartSSL so that people can browse with HTTPS.

zekesonxx, on 14 March 2013 - 06:38 AM said:

Google would never let their SSL certs expire, they're the ones who issue them (Yes, Google is a certificate authority).

The following things could be happening:

• Someone's signature is connecting to a secure URL that has a expired certificate
• Your place of proxy is messing with the certificate
• Your browser has a old/outdated list of trusted certificate authorities.
• Internet Explorer is worthless

And for the admins, I would recommend installing a SSL cert from StartSSL so that people can browse with HTTPS.

Excellent job reviving a three-month old thread.

In previous discussions about SSL and CC.info - we do not support SSL, end of story. Why?

• Why would you secure a forum where anyone can see content? SSL exposes the URL, so any "attacker" - which I doubt anyone would - could still see what you're visiting. SSL would only really benefit PM-sending.
• You shouldn't be exchanging "super-sensitive" data on the forums in the first place. If you want absolute security, don't say it here.
• SSL is really only effective against internal network attacks - such as ARP routing table and redirector attacks - and even then, there are tools out there which can adequately convince the user they're still seeing the real, SSL-encrypted site.
• Getting an SSL certificate in this day is easy - but we can't install it. I don't know the specifics of the server, but we do require a dedicated IP address and have the host install the certificates. I'm not sure if they even support it, who knows.

Plus, we had already determined it to be an issue with my work proxy, and not an issue with the forums. It never happens anywhere else. So….issue resolved….kinda. No need to drag this out, I suppose.