Expired SSL certificate (opens in new tab)

(manjaro.github.io)

78 pointschton10y ago67 comments

67 comments

WTF, changing your PC date is not a solution! This will cause more issues.

A much better workaround would have been to install SuperFish as that completely disables all certificate checking on SSL.

ikt10y ago

I guess they should have just put a notice up saying forums and wiki unavailable, that could have prevented this whole mess.

Yeri10y ago

Indeed, what a silly workaround.

phyzome10y ago

Yeah, doesn't that generally result in a time mismatch? I thought the server and client had to roughly agree on the time.

jng10y ago

What is shocking is that they still haven't found the way to properly fix it after 3 days.

I updated some SSL certificates last week (which even required contortions such as moving to a new issuer since some legacy software requires old-style SHA-1 signed ones which our current one doesn't provide), and it didn't take more than one (long) day of work.

IgorPartola10y ago

At this point, changing out a cert takes me about 15 minutes (typically for multiple servers). 10 of those is figuring out the order in which to include intermediate certs. I really should script that part out.

jonathonf10y ago

It's just embarrassing.

I can only assume the sysop is on holiday.

josephmx10y ago

Checking their about page, they have 3 web developers, one of which wrote that post. That's worrying.

1 more reply

billpg10y ago

I wonder if browsers should for (say) a week after a cert has expired, show an error so alarms are raised, but allow the dialog to be dismissed with an OK instead of all the "Confirm Security Exception" that would go on for a more serious cert rejection.

userbinator10y ago

I think the real problem is that, by assuming users won't read error messages carefully, and making them shorter/less informative as a result, we've been implicitly encouraging this behaviour, leading to even less attention paid to the messages, etc. and the vicious cycle continues.

The original argument was that seeing error messages often will make users ignore them, but I don't think certificate errors should be very common now. Either way, I think we should be encouraging users to read error messages more carefully. Maybe the Yes/No buttons on the dialog should be put in a random order, and the question randomly flips between "Do you want to proceed?" and "Do you want to abort?"... adding a "learn more" option would be a good idea too.

DangerousPie10y ago

I like this idea. At the moment there is nothing that differentiates a "this cert expired yesterday" warning from a "someone is MITMing your connection" warning, at least not for the casual user.

And since the former is (sadly) pretty common, this only teaches people that these warnings are not that unusual, and can safely be overridden.

It would be much better to have one "the server admin forgot to renew his certificate" type of warning and another "a totalitarian regime is trying to spy on you" type of warning...

mijndert10y ago

And because of this I overheard someone say "I just click Okay because else the website won't load!".

ins010y ago

That is by far not the job of a browser to remind server administrators to renew there certs and display that message to random users.

billpg10y ago

Alas, in this imperfect world, phone calls from random users are how server admins are notified of cert expiry.

2 more replies

drinchev10y ago

I don't agree. If this happens, same rule should apply for domain name expiration.

ikeboy10y ago

You just made me wonder what happens if you have a cert but let the name expire. Can you MITM your old domain until the cert expires?

1 more reply

lucb1e10y ago

That's actually not a bad idea.

mijndert10y ago

That shouldn't be default behaviour in any browser but rather a plugin that you can install that gives the notification. Preferably with a whitelist of websites that I want to get notifications of.

ikeboy10y ago

In chrome, if I click "advanced", it tells me that it's expired, and how long ago.

ntoshev10y ago

Our website monitoring service https://t1mr.com will warn you before your certificate expires (in addition to warning you when your site is down, and giving you reports of inbound and outbound dead links).

falcolas10y ago

As does nagios' http check with the -c option. Basic monitoring helps solve so many problems.

seqizz10y ago

Should we set it to 1st of April?

agarcia-deniz10y ago

I can't help but notice the motto:

Enjoy the simplicity

Karunamon10y ago

Rant mode:

If I understand right, getting a replacement cert doesn't result in a change of the private key anyways.

It's just magically, on the expiration date, your cert is somehow insecure and we must treat it as if YOU ARE IN DANGER!! - even though it's still better than then plain HTTP that everyone uses every single goddamned day. Hell, a self signed cert is better than plain HTTP, yet for some backwards-ass reason we treat it as worse, despite the fact it makes you immune from passive eavesdropping and any injection attacks, which the average person is a lot more likely to run into than a self-signed cert being used by an attacker to MITM you.

CA's are a scam and a racket. I can't wait for Mozilla's Let's Encrypt[1] to come along and put them all out of business, hopefully before the last decade or so of training users to ignore the wolf-crying cert warnings comes to fruition.

Yeah, this is irresponsible on Manjaro's part, they know the rules of the game, but the game is broken!

[1] http://letsencrypt.org

billpg10y ago

A "passive eavesdropper" has all the information they need to become an active man-in-the-middle. Observe the DNS query on its way out and send your own response with your IP before the real response comes back. The client will then make its TCP connection to that injected IP.

userbinator10y ago

send your own response with your IP before the real response comes back

Being able to inject traffic is not "passive".

1 more reply

Zikes10y ago

Self-signed can be worse because by the same token it can be MITM'd by another self-signed cert. It would create the false illusion of security, which could lead people to provide information they otherwise would not have.

xg1510y ago

With all due respect, how is that worse than HTTP? Plain HTTP can be MITMed just as well, only that on HTTP - except that no one would do that because for HTTP, plain old packet sniffing is enough to eavesdrop on a connection. Which doesn't work for self-signed HTTPS connections. And there are in fact a lot of common scenarios where it is easy for an attacker to sniff packets but harder to establish an MITM.

2 more replies

abofh10y ago

30 minutes, comodo reseller, seriously; You won't get SHA256, but you won't be asking your users to hurt themselves.

1 more reply

bitJericho10y ago

Don't pretty much all browsers let you accept using an expired certificate?

jonathonf10y ago

The issue is with HSTS. If you've visited the site before you've likely cached that SSL is required and your browser will refuse to connect. Using e.g. a 'private window' will allow it to be bypassed.

nileshtrivedi10y ago

> Using e.g. a 'private window' will allow it to be bypassed

In Firefox, yes. But not in Chrome (in my experience).

ins010y ago

Yes was my thought also but put glasses on this workaround is even better, as it may scrow up more ssl certs from other domains.

nailer10y ago

Not if you're using HSTS. Here's what the error looks like in current Chrome: https://certsimple.com/images/blog/hsts.png

lauriswtf10y ago

Why is this on the frontpage?

bitJericho10y ago

Because it's kind of completely ridiculous; both the problem and the proposed solution.

tommorris10y ago

...and the fact that it kind of suggests that you might not want to trust a Linux distro to get security right on your boxes if they are unable to fix their SSL certs after 3 days.

1 more reply

mahouse10y ago

Because people are forgetting that the first rule of Hacker News is that no fun is allowed.

HendrikR10y ago

This is really awesome. Why do certificates expire in the first place?

billpg10y ago

By having an expiry, revoked certs can be forgotten about once the expiry has passed. We'd need to keep a forever growing list of revocations otherwise.

legulere10y ago

Also certs get switched to ones with stronger algorithms and longer keylengths after expiry. You also would have to revoke old certs all the time when their crypto isn't safe anymore.

andygambles10y ago

Awesome

j / k navigate · click thread line to collapse

67 comments

thejosh10y ago

WTF, changing your PC date is not a solution! This will cause more issues.

UnoriginalGuy10y ago

A much better workaround would have been to install SuperFish as that completely disables all certificate checking on SSL.

ikt10y ago

I guess they should have just put a notice up saying forums and wiki unavailable, that could have prevented this whole mess.

Yeri10y ago

Indeed, what a silly workaround.

phyzome10y ago

Yeah, doesn't that generally result in a time mismatch? I thought the server and client had to roughly agree on the time.

jng10y ago

What is shocking is that they still haven't found the way to properly fix it after 3 days.

IgorPartola10y ago

jonathonf10y ago

It's just embarrassing.

I can only assume the sysop is on holiday.

josephmx10y ago

Checking their about page, they have 3 web developers, one of which wrote that post. That's worrying.

1 more reply

billpg10y ago

userbinator10y ago

DangerousPie10y ago

I like this idea. At the moment there is nothing that differentiates a "this cert expired yesterday" warning from a "someone is MITMing your connection" warning, at least not for the casual user.

And since the former is (sadly) pretty common, this only teaches people that these warnings are not that unusual, and can safely be overridden.

It would be much better to have one "the server admin forgot to renew his certificate" type of warning and another "a totalitarian regime is trying to spy on you" type of warning...

mijndert10y ago

And because of this I overheard someone say "I just click Okay because else the website won't load!".

ins010y ago

That is by far not the job of a browser to remind server administrators to renew there certs and display that message to random users.

billpg10y ago

Alas, in this imperfect world, phone calls from random users are how server admins are notified of cert expiry.

2 more replies

drinchev10y ago

I don't agree. If this happens, same rule should apply for domain name expiration.

ikeboy10y ago

You just made me wonder what happens if you have a cert but let the name expire. Can you MITM your old domain until the cert expires?

1 more reply

lucb1e10y ago

That's actually not a bad idea.

mijndert10y ago

That shouldn't be default behaviour in any browser but rather a plugin that you can install that gives the notification. Preferably with a whitelist of websites that I want to get notifications of.

ikeboy10y ago

In chrome, if I click "advanced", it tells me that it's expired, and how long ago.

ntoshev10y ago

falcolas10y ago

As does nagios' http check with the -c option. Basic monitoring helps solve so many problems.

seqizz10y ago

Should we set it to 1st of April?

agarcia-deniz10y ago

I can't help but notice the motto:

Enjoy the simplicity

Karunamon10y ago

Rant mode:

If I understand right, getting a replacement cert doesn't result in a change of the private key anyways.

Yeah, this is irresponsible on Manjaro's part, they know the rules of the game, but the game is broken!

[1] http://letsencrypt.org

billpg10y ago

userbinator10y ago

send your own response with your IP before the real response comes back

Being able to inject traffic is not "passive".

1 more reply

Zikes10y ago

xg1510y ago

2 more replies

abofh10y ago

30 minutes, comodo reseller, seriously; You won't get SHA256, but you won't be asking your users to hurt themselves.

1 more reply

bitJericho10y ago

Don't pretty much all browsers let you accept using an expired certificate?

jonathonf10y ago

nileshtrivedi10y ago

> Using e.g. a 'private window' will allow it to be bypassed

In Firefox, yes. But not in Chrome (in my experience).

ins010y ago

Yes was my thought also but put glasses on this workaround is even better, as it may scrow up more ssl certs from other domains.

nailer10y ago

Not if you're using HSTS. Here's what the error looks like in current Chrome: https://certsimple.com/images/blog/hsts.png

lauriswtf10y ago

Why is this on the frontpage?

bitJericho10y ago

Because it's kind of completely ridiculous; both the problem and the proposed solution.

tommorris10y ago

...and the fact that it kind of suggests that you might not want to trust a Linux distro to get security right on your boxes if they are unable to fix their SSL certs after 3 days.

1 more reply

mahouse10y ago

Because people are forgetting that the first rule of Hacker News is that no fun is allowed.

HendrikR10y ago

This is really awesome. Why do certificates expire in the first place?

billpg10y ago

By having an expiry, revoked certs can be forgotten about once the expiry has passed. We'd need to keep a forever growing list of revocations otherwise.

legulere10y ago

Also certs get switched to ones with stronger algorithms and longer keylengths after expiry. You also would have to revoke old certs all the time when their crypto isn't safe anymore.

andygambles10y ago

Awesome

j / k navigate · click thread line to collapse