annoying message "The certificate authority's certificate is invalid" in rekonq and kaddressbook

I noted it in rekonq, sometime it comes with an annoying message in a window where I have to answer “forever” or “only for this session” for many times, and this forever isn’t forever because the same message pop up again later, so I stopped to use rekonq, but evidently it wasn’t related only to rekonq becouse now I received the same message like this:

The server failed the authenticity check (accounts.google.com).

The certificate authority's certificate is invalid
The root certificate authority's certificate is not trusted for this purpose

but it seems to come from kaddressbook where I set contacts of my google account.
how can I get rid of this annoying message???
manythanks, :slight_smile: ciao :slight_smile: pier

This usually a problem at the Web server end where a certificate is bad or out of date. It can also indicate you are being redirected to a bad site so you don’t really want to turn it off since it is a protection that alert you to possible attacks.

On Sun, 30 Mar 2014 08:16:01 +0000, pier andreit wrote:

> how can I get rid of this annoying message???

Notify the website in question that their certificate may be invalid.

Seriously, that’s the best option - if you just blindly ignore the
message, you may be subjecting yourself to a man-in-the-middle attack
with a forged certificate.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I get that from time to time, with rekonq, konqueror and akregator.

I mostly click the “only for this session”, and proceed. Usually it is a site that isn’t important (not a bank, not a site where I actually login).

There is a “details” button you can click to see more details. It’s usually something silly, such as a mismatch between the website name and the name on the certificate.

I rarely see this when using firefox. My best guess is that the problem is with secondary sites serving up images or advertising, and firefox is deciding that it isn’t an issue for such sites.

Or,
It can mean that the client app isn’t pre-installed with a valid current list of trusted CAs. I don’t know about your specific mail client, but I doubt its owners/authors are willing to pay the immense amounts of money to be automatically authorize the same list of CAs the major web browsers use. So, unless the mail client is associated with one of those browsers, a common solution is to just manually authorize connecting the first time you connect. If you then select “Trust Always…” you should not be challenged again.

TSU

I’m pretty sure that the certificate store in opensuse is populated from the firefox certificates, with a few additions. I’m not aware of any cost for having CA certificates on hand. There is typically a cost for a client certificate, such as if you run a secure (https) web site.

On 2014-03-30 21:53, Jim Henderson wrote:
> On Sun, 30 Mar 2014 08:16:01 +0000, pier andreit wrote:
>
>> how can I get rid of this annoying message???
>
> Notify the website in question that their certificate may be invalid.
>
> Seriously, that’s the best option - if you just blindly ignore the
> message, you may be subjecting yourself to a man-in-the-middle attack
> with a forged certificate.

Some opensuse sites used for developing work have “invalid”
certificates, because they are self-signed :wink: :-p


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Sun, 30 Mar 2014 22:58:08 +0000, Carlos E. R. wrote:

> On 2014-03-30 21:53, Jim Henderson wrote:
>> On Sun, 30 Mar 2014 08:16:01 +0000, pier andreit wrote:
>>
>>> how can I get rid of this annoying message???
>>
>> Notify the website in question that their certificate may be invalid.
>>
>> Seriously, that’s the best option - if you just blindly ignore the
>> message, you may be subjecting yourself to a man-in-the-middle attack
>> with a forged certificate.
>
> Some opensuse sites used for developing work have “invalid”
> certificates, because they are self-signed :wink: :-p

True, but in theory that /shouldn’t/ be the case for a public website,
which it seems is what we’re talking about - not a development website.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

In my experience,
Every web browser maintains its own certificate store individually, nothing is shared.

In the same vein, the OS maintains its own cert stores for its own use and is never used by many apps, eg web browsers.

Each cert store should be individual because each might be used for s particular purpose, eg corporate network security. So, logins could be based on certs which should not ever be exposed as common website certs.

TSU

Probably true for some browsers.

I’m looking at Yast Software Manager. The description of the package “ca-certificates-mozilla” says:

  • This package contains some CA root certificates for OpenSSL extracted from MozillaFirefox

No, the system isn’t sharing with firefox. Rather, the certificates have been extracted from firefox, and added to the system wide openssl store. I know, for sure, that “fetchmail” uses that certificate store. I suspect that konqueror does, too.[/QUOTE]

On 2014-03-31 07:35, Jim Henderson wrote:
> True, but in theory that /shouldn’t/ be the case for a public website,
> which it seems is what we’re talking about - not a development website.

I have seen government sites here with self signed certificates. At
best, they create their own certificate agency and use it. My city does
that for the site used for paying taxes… (no, I’m not giving the
links, might give too much information about myself, and they are in
Spanish, anyway :slight_smile: )

My ISP uses a worse one:


/var/log/mail-20130608.xz:
> <2.6> 2013-06-06 03:05:12 Telcontar postfix 18156 - -  certificate verification failed for smtp.telefonica.net[213.4.149.228]:25: untrusted issuer /C=US/O=RTFM, Inc./OU=Widgets Divion failed for smtp.telefonica.net[213.4.149.228]:25: untrusted issuer /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
> <2.6> 2013-06-06 03:05:12 Telcontar postfix 18156 - -  Untrusted TLS connection established to smtp.telefonica.net[213.4.149.228]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Do you see the “RTFM” above? They simply used the example configuration
of the smtp server they used. I have logs of that situation for years, I
think, but the above is the last time it happened. The message then
changed to this one:


> <2.6> 2013-06-16 04:15:57 Telcontar postfix 29424 - -  Untrusted TLS connection established to smtp.telefonica.net[213.4.149.228]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

But it happened that I upgraded from 12.3 to 13.1 on 2013-06-08, so
perhaps I do not get the warning because i changed my config. So
probably my ISP is still using the same bad TLS certificate. …] Oh,
yes, the ID is the same one.

Just as an example I can show of broken sites I remember about :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Mon, 31 Mar 2014 21:23:07 +0000, Carlos E. R. wrote:

> On 2014-03-31 07:35, Jim Henderson wrote:
>> True, but in theory that /shouldn’t/ be the case for a public website,
>> which it seems is what we’re talking about - not a development website.
>
> I have seen government sites here with self signed certificates. At
> best, they create their own certificate agency and use it. My city does
> that for the site used for paying taxes… (no, I’m not giving the
> links, might give too much information about myself, and they are in
> Spanish, anyway :slight_smile: )

Well, as I said, they /shouldn’t/, and that they do means they need to be
told, because they’re putting you and every citizen who uses their
website at risk of an MITM attack by using a self-signed certificate that
can’t have it’s authenticity verified.

I didn’t say that it /doesn’t/ happen, I said that it /shouldn’t/ happen,
and when it does, the owners of the website need to be told that they’re
risking their customers’ security, because they are.

> Do you see the “RTFM” above? They simply used the example configuration
> of the smtp server they used. I have logs of that situation for years, I
> think, but the above is the last time it happened. The message then
> changed to this one:

Same comment as above.

> Just as an example I can show of broken sites I remember about :slight_smile:

Of course there are broken sites on the Internet - I never claimed that
there weren’t. I merely said that the site owners should be notified -
repeatedly if necessary - if they’re doing security wrong, because
they’re creating a risk for their users.

Doing that is far better than looking for a permanent way to ignore the
fact that the site is improperly secured and risking your own personal
data.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2014-04-01 00:30, Jim Henderson wrote:
> On Mon, 31 Mar 2014 21:23:07 +0000, Carlos E. R. wrote:

> I didn’t say that it /doesn’t/ happen, I said that it /shouldn’t/ happen,
> and when it does, the owners of the website need to be told that they’re
> risking their customers’ security, because they are.

Oh, they know! And they don’t care.

> Of course there are broken sites on the Internet - I never claimed that
> there weren’t. I merely said that the site owners should be notified -
> repeatedly if necessary - if they’re doing security wrong, because
> they’re creating a risk for their users.

Well, as I said, Novell is using self signed certificates on some of
their sites, where the software we use is created and maintained :wink:

The idea is that once you accept one of these certificates, the user can
detect a change or an intercept later on. But of course, when that
happens, the user might simply accept the change too…

Sometimes, I don’t have to accept a certificate. I have to accept
instead the root certificate of the certificate agency they create!

At least one of these agencies took note when I told them of the issue
and they did something about it. I know, I’m vague, but I would have to
dig out our email conversation to find out what I told them and their
reaction - positive in this case. The only one I have met…


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Mon, 31 Mar 2014 23:23:07 +0000, Carlos E. R. wrote:

> On 2014-04-01 00:30, Jim Henderson wrote:
>> On Mon, 31 Mar 2014 21:23:07 +0000, Carlos E. R. wrote:
>
>
>> I didn’t say that it /doesn’t/ happen, I said that it /shouldn’t/
>> happen,
>> and when it does, the owners of the website need to be told that
>> they’re risking their customers’ security, because they are.
>
> Oh, they know! And they don’t care.

Then maybe it’s time to get it reported in the press.

Either way, I repeat what I said before: They /shouldn’t/ do that. That
doesn’t mean it doesn’t happen.

>> Of course there are broken sites on the Internet - I never claimed that
>> there weren’t. I merely said that the site owners should be notified -
>> repeatedly if necessary - if they’re doing security wrong, because
>> they’re creating a risk for their users.
>
> Well, as I said, Novell is using self signed certificates on some of
> their sites, where the software we use is created and maintained :wink:

Well, and again, they shouldn’t really be doing that, so send feedback on
the website. There’s a “contact us” link at the bottom of each page. Or
provide that info in a PM here, and I’ll pass it along. If that’s
happening, it shouldn’t - and they /should/ know better. It’s not like
they don’t have actual valid certificates with a valid trust chain back
to a public CA.

> The idea is that once you accept one of these certificates, the user can
> detect a change or an intercept later on. But of course, when that
> happens, the user might simply accept the change too…

I’ve been doing identity/security stuff for nearly two decades now - I do
know how this works. I’ve generated self-signed certificates myself for
my own identity stores, both in production (but not for external websites

  • because that’s not how you /do/ that) and in the lab.

You’re not explaining this to some neophyte who’s unaware of how things
are done. :wink:

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2014-04-01 03:05, Jim Henderson wrote:
> On Mon, 31 Mar 2014 23:23:07 +0000, Carlos E. R. wrote:

>> Oh, they know! And they don’t care.
>
> Then maybe it’s time to get it reported in the press.

Nay. Not me, not in my country. Very complicated to explain. :slight_smile:

>> Well, as I said, Novell is using self signed certificates on some of
>> their sites, where the software we use is created and maintained :wink:
>
> Well, and again, they shouldn’t really be doing that, so send feedback on
> the website. There’s a “contact us” link at the bottom of each page. Or
> provide that info in a PM here, and I’ll pass it along. If that’s
> happening, it shouldn’t - and they /should/ know better. It’s not like
> they don’t have actual valid certificates with a valid trust chain back
> to a public CA.

Oh, I reported it on the mail list we use, on 2008, and on Bugzilla.
Everybody knows. Or knew :slight_smile:

forgesvn1.novell.com

The site is no longer used, so no longer an issue. Now we use
svn.opensuse.org instead, which has a correct certificate. Write access
is now via svn server, with login identification, which is handled
differently.

That’s just one site I remember.

>> The idea is that once you accept one of these certificates, the user can
>> detect a change or an intercept later on. But of course, when that
>> happens, the user might simply accept the change too…
>
> I’ve been doing identity/security stuff for nearly two decades now - I do
> know how this works. I’ve generated self-signed certificates myself for
> my own identity stores, both in production (but not for external websites
> - because that’s not how you /do/ that) and in the lab.
>
> You’re not explaining this to some neophyte who’s unaware of how things
> are done. :wink:

Ok, appreciated :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Tue, 01 Apr 2014 13:03:06 +0000, Carlos E. R. wrote:

>>> Well, as I said, Novell is using self signed certificates on some of
>>> their sites, where the software we use is created and maintained :wink:
>>
>> Well, and again, they shouldn’t really be doing that, so send feedback
>> on the website. There’s a “contact us” link at the bottom of each
>> page.
>> Or provide that info in a PM here, and I’ll pass it along. If that’s
>> happening, it shouldn’t - and they /should/ know better. It’s not like
>> they don’t have actual valid certificates with a valid trust chain back
>> to a public CA.
>
> Oh, I reported it on the mail list we use, on 2008, and on Bugzilla.
> Everybody knows. Or knew
>
> forgesvn1.novell.com
>
> The site is no longer used, so no longer an issue. Now we use
> svn.opensuse.org instead, which has a correct certificate. Write access
> is now via svn server, with login identification, which is handled
> differently.
>
> That’s just one site I remember.

OK, well, a report on a site that’s no longer used isn’t useful to me.
If you run into another, let me know and I’ll pass it along to TPTB.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2014-04-01 17:38, Jim Henderson wrote:

> OK, well, a report on a site that’s no longer used isn’t useful to me.
> If you run into another, let me know and I’ll pass it along to TPTB.

Will do, thanks.

I simply know that I have hit several such sites, over the years, and
that’s simply one I remember.

Another one might be the vertaal site used by several opensuse
translator teams. Currently it is not even https, yet it can submit
translations to the svn tree. The project is maintained by a single
volunteer, so it is probably as much as he can do. And very glad we are
for what he does…

(There is an https page, but it does not currently work. It did, time
ago, and had a private certificate)

In fact, the site was hosted on .ar some months back. Now it is on a .tk
domain instead, and we have not been told about it. It could be
hijacked, for all I know. But the contains seem correct, after login, so
it should be good…


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Tue, 01 Apr 2014 17:28:08 +0000, Carlos E. R. wrote:

> Another one might be the vertaal site used by several opensuse
> translator teams. Currently it is not even https, yet it can submit
> translations to the svn tree. The project is maintained by a single
> volunteer, so it is probably as much as he can do. And very glad we are
> for what he does…
>
> (There is an https page, but it does not currently work. It did, time
> ago,
> and had a private certificate)
>
>
> In fact, the site was hosted on .ar some months back. Now it is on a .tk
> domain instead, and we have not been told about it. It could be
> hijacked, for all I know. But the contains seem correct, after login, so
> it should be good…

URL?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2014-04-01 23:46, Jim Henderson wrote:

>> In fact, the site was hosted on .ar some months back. Now it is on a .tk
>> domain instead, and we have not been told about it. It could be
>> hijacked, for all I know. But the contains seem correct, after login, so
>> it should be good…
>
> URL?

vertaal.tk, previously vertaal.com.ar

It is not on https now, so it can not even use a certificate. As I said,
it is maintained by a volunteer on his own money, with little time, so
it is about all he can do. Several openSUSE translator teams use it a
lot, we absolutely depend on it.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Tue, 01 Apr 2014 23:03:06 +0000, Carlos E. R. wrote:

> On 2014-04-01 23:46, Jim Henderson wrote:
>
>>> In fact, the site was hosted on .ar some months back. Now it is on a
>>> .tk domain instead, and we have not been told about it. It could be
>>> hijacked, for all I know. But the contains seem correct, after login,
>>> so it should be good…
>>
>> URL?
>
> vertaal.tk, previously vertaal.com.ar
>
> It is not on https now, so it can not even use a certificate. As I said,
> it is maintained by a volunteer on his own money, with little time, so
> it is about all he can do. Several openSUSE translator teams use it a
> lot, we absolutely depend on it.

Is it an official part of the openSUSE project? If it isn’t, then it’s
not something that necessarily is something anyone at SUSE can do
anything about.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C