annoying message "The certificate authority's certificate is invalid" in rekonq and kaddressbook

On 2014-04-02 01:10, Jim Henderson wrote:

> Is it an official part of the openSUSE project? If it isn’t, then it’s
> not something that necessarily is something anyone at SUSE can do
> anything about.

Nor did I ask. :slight_smile:

It is not sponsored by Novell, but it is part of openSUSE, in as much as
it has been developed and maintained by members, and is used by openSUSE
translators to translate openSUSE. Instead of directly using the
openSUSE maintained SVN server, we use this service instead, which
accesses the SVN in our stead.

At worst, any change to SVN can be reverted, same as anything done by
anybody can be reverted on SVN. Any contributor could become mad one day
and do something weird, but what they do can be reverted :slight_smile:

(accidents happen now and then, on the svn, and we have to revert
them… it’s happened a few times)


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On Tue, 01 Apr 2014 23:48:07 +0000, Carlos E. R. wrote:

> On 2014-04-02 01:10, Jim Henderson wrote:
>
>> Is it an official part of the openSUSE project? If it isn’t, then it’s
>> not something that necessarily is something anyone at SUSE can do
>> anything about.
>
> Nor did I ask. :slight_smile:

Then there’s not really anything further to discuss here.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

…:)ok, I understand that it is dangerous for a MITM attack and for others, but, why firefox chrome chromium opera don’t has the same behaviour with the very same sites that in rekonq and konqueror and now in kaddressbook gives the annoying message???
is it dangerous too tu use these browsers??
and more, if I don’t care of any kind of attack, how can I get rid of this message??
…manythanks, :slight_smile: ciao :slight_smile: pier

On Thu, 03 Apr 2014 02:56:01 +0000, pier andreit wrote:

> …:)ok, I understand that it is dangerous for a MITM attack and for
> others, but, why firefox chrome chromium opera don’t has the same
> behaviour with the very same sites that in rekonq and konqueror and now
> in kaddressbook gives the annoying message???

That would have been useful information to have up front - If I missed
where you mentioned that before, my apologies.

> is it dangerous too tu use these browsers??

Obviously the browsers are safe to use, and knowing that that was the
case would have informed the discussion of additional information.

> and more, if I don’t care of any kind of attack, how can I get rid of
> this message??
> …manythanks, :slight_smile: ciao :slight_smile: pier

Hopefully someone who is more familiar with the apps in question will be
able to provide you with information about how to tweak the settings.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I’ve just run into an example of this (with konqueror)

The web page that I was viewing http://www.patheos.com/blogs/friendlyatheist/2014/04/10/god-too-is-subject-to-forces-of-evolution/

The warning was for a different site: “analytics.stageaholic.com

The site of the warning was probably serving up advertisements. It is probably a case of rotating ads so you might not always see that.

The error message:


 The server failed the authenticity check (analytics.stageaholic.com).
 

 The certificate authority's certificate is invalid
 The root certificate authority's certificate is not trusted for this purpose
 The certificate cannot be verified for internal reasons

When I click the “details” button, most of what I see looks normal. The certificate in question is described as a server certificate. My reading (perhaps mistaken) of the error message, is that the CA certificate used is not approved for signing server certificates.

I tried browsing to “https://analytics.stageaholic.com/” in firefox, and I do not get any warning there (it presents an apparently empty page).

Note that I’m mentioning this because of a request for examples earlier in the thread. I’m not particularly bothered by it. I can tell konqueror to ignore the problem. I was not expecting any security on the page I was visiting, so no security concerns here.

yes, but how can I tell to konqueror and rekonq to ignore it???
manythanks, ciao :slight_smile: pier

By that (“tell konqueror to ignore it”), I only meant that I click the “continue” button after the alert. It then gives me the choice to allow for this session or forever. I choose the session. But even if I chose “forever”, that would apply only to the particular site and particular certificate being used. I don’t think there’s a global setting to always ignore these for all sites.

On Fri, 11 Apr 2014 02:26:01 GMT, nrickert
<nrickert@no-mx.forums.opensuse.org> wrote:

>
>I’ve just run into an example of this (with konqueror)
>
>The web page that I was viewing http://tinyurl.com/kt2jk6s
>
>The warning was for a different site: “analytics.stageaholic.com
>
>The site of the warning was probably serving up advertisements. It is
>probably a case of rotating ads so you might not always see that.
>
>The error message:
>
>Code:
>--------------------
>
> The server failed the authenticity check (analytics.stageaholic.com).
>
>
> The certificate authority’s certificate is invalid
> The root certificate authority’s certificate is not trusted for this purpose
> The certificate cannot be verified for internal reasons
>
>--------------------
>
>
>When I click the “details” button, most of what I see looks normal. The
>certificate in question is described as a server certificate. My
>reading (perhaps mistaken) of the error message, is that the CA
>certificate used is not approved for signing server certificates.
>
>I tried browsing to “https://analytics.stageaholic.com/” in firefox, and
>I do not get any warning there (it presents an apparently empty page).
>
>Note that I’m mentioning this because of a request for examples earlier
>in the thread. I’m not particularly bothered by it. I can tell
>konqueror to ignore the problem. I was not expecting any security on
>the page I was visiting, so no security concerns here.

You might want to read this:

http://www.csl.sri.com/users/risko/risks.txt

Mods, decide if you want this propagated more widely.

?-)

It would appear that on Apr 11, nrickert did say:

> pier_andreit;2636405 Wrote:
> > yes, but how can I tell to konqueror and rekonq to ignore it???
> > manythanks, ciao :slight_smile: pier
>
> By that (“tell konqueror to ignore it”), I only meant that I click the
> “continue” button after the alert. It then gives me the choice to allow
> for this session or forever. I choose the session. But even if I chose
> “forever”, that would apply only to the particular site and particular
> certificate being used. I don’t think there’s a global setting to
> always ignore these for all sites.

Please pardon my jumping in here: I use neither konqueror nor rekonq…

But this discussion interests me because of a similar issue I have with the
difference between how invalid/expired/untrusted/etc… certificates are
handled between the Firefox and Opera browsers.

I really wish I could get Opera to remember that I’d already chosen to
make a particular exception… But ONLY for a particular certificate, and
ONLY at the site for which I decided to accept it. If I encountered that
certificate elsewhere, I’d want to be alerted. If the certificate changed,
I’d want to be alerted.

There are some sites where everything is public info, (such as user
forums for some Linux distributions) where it’s likely they only ever setup
https in the first place, so that their members wouldn’t need to transmit
their passwords in clear text. And since every single thing you post on
the site is publicly available, they are unlikely to spend any of their
limited resources to maintain the sites “certificate” to anything more
valid than it takes to only have to tell Firefox {once} to make a
permanent exception to stop being pestered by the warnings.

Then there are sites like hulu, which unlike netflicks, officially allow me
to view their content from Linux, and for which I choose to protect my
account password from clear text transmission by logging in via the account
page at: https://www.hulu.com/account.

I wish I knew for certain, that if their certificate were to change, that
Firefox would stop applying the permanent exception to the site. And make
me decide if I wanted to make a new exception for the new or modified
certificate. More importantly, if somehow that certificate was to be used
at some other site for which I didn’t knowingly accept the exception
perhaps even one at which I might conceivably enter some personally
sensitive data.

I wish I could be certain that Firefox wouldn’t apply that permanent
exception to the same “certificate” that I had accepted for a site on
which I’d never include such sensitive private data…

But Opera doesn’t offer a permanent exception choice. I have to accept it
again every time I go there in a new opera session. If I do that, it will
become so familiar that I’ll stop reading it, then if I ever did get
redirected to an attack site, I’d likely be so busy with the routine chore
of accepting the exception that I wouldn’t notice it wasn’t the exception
I’d been expecting. And that is a real risk…


JtWdyP

On 2014-04-13 17:56, JtWdyP wrote:

> I wish I could be certain that Firefox wouldn’t apply that permanent
> exception to the same “certificate” that I had accepted for a site on
> which I’d never include such sensitive private data…

An alternative is to add the “authority” certificate as valid. Then the
server certificate is automatically accepted, and its changes. It is the
parent authority certificate which becomes important instead. I’m not
exactly sure what happens if the server certificate changes, but if the
the “authority” certificate changes, you have to manually import it again.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

It would appear that on Apr 13, Carlos E. R. did say:

> An alternative is to add the “authority” certificate as valid. Then the
> server certificate is automatically accepted, and its changes. It is the
> parent authority certificate which becomes important instead. I’m not
> exactly sure what happens if the server certificate changes, but if the
> the “authority” certificate changes, you have to manually import it again.

I’m not even all that sure what an ‘“authority” certificate’ is… Never mind
how to identify and “add” it “as valid”. I kind of figure the method probably
varies from one browser to another.

Would you happen to know the URL of a good how-to for “adding authority
certs” in Firefox??


JtWdyP

On 2014-04-14 18:01, JtWdyP wrote:
>
> It would appear that on Apr 13, Carlos E. R. did say:
>
>> An alternative is to add the “authority” certificate as valid. Then the
>> server certificate is automatically accepted, and its changes. It is the
>> parent authority certificate which becomes important instead. I’m not
>> exactly sure what happens if the server certificate changes, but if the
>> the “authority” certificate changes, you have to manually import it again.
>
> I’m not even all that sure what an ‘“authority” certificate’ is… Never mind
> how to identify and “add” it “as valid”. I kind of figure the method probably
> varies from one browser to another.
>
> Would you happen to know the URL of a good how-to for “adding authority
> certs” in Firefox??

Edit, Preferences, Advanced.

Note: There is a button to configure “validation”. The
option to enforce OCSP verification is curious. Don’t ask me :slight_smile:

Click on “view certificates”. You can see several types, one is
“authorities”. There is a button for “import”. Of course, you need to
have the file ready… and this needs to be provided by the
certification authority itself. That’s the hurdle. And of course, you
have to trust them. Greatly.

A “certification authority” is simply the person or organization that
creates certificates. They have a master certificate which is used to
certify the certificates they create, sell, or give. When you have that
master certificate in your toolchain, all the certificates used by
servers that got it from that authority, will be accepted without question.

For instance, if you go to
https://forums.opensuse.org/forum.php
and then select Tools / View info, you get a dialog with a secularity
icon. Click on it. One button will be “view certificate”.

Ok, you see now the data for the server certificate, titled “Issued To”.
There is another one titled “Issued By”. THAT is the data for the
certification authority, which is “DigiCert Inc”. In the “Details” tab
you can also see the tree.

If you now go back to the certificate manager dialog we saw previously,
on the Authorities tab you will also find an entry for DigiCert.
Actually, several. And you can select view, edit trust, delete or
distrust…


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Noticed earlier when looking in Gnome Keys :

Identity: login.skype.com
Verified by: UTN-USERFirst-Hardware
Expires: 14/03/14

Subject Name
C (Country): US
2.5.4.17: #13053338343737
ST (State): Florida
L (Locality): English
STREET (Street): Sea Village 10
O (Organization): Google Ltd.
OU (Organizational Unit): Tech Dept.
OU (Organizational Unit): Hosted by GTI Group Corporation
OU (Organizational Unit): PlatinumSSL
CN (Common Name): login.skype.com
Issuer Name
C (Country): US
ST (State): UT
L (Locality): Salt Lake City
O (Organization): The USERTRUST Network
OU (Organizational Unit): http://www.usertrust.com
CN (Common Name): UTN-USERFirst-Hardware

Found similar in Mozilla Firefox with different expiry date as 15/03/14

Certificates expected see updated as part resolving the Heartbleed Bug.

However surprised at how many certificates were out of date.

Is there an easy way to filter then delete certificates out of date ?

Is there a terminal command to list them ?-)

Suspicion just deleting expired certificates may create more problems…

I’m assuming that is a 2015 date.

This looks more like the case of a certificate that was issued for one year, and has been renewed. That’s a common practice.

The certificate is probably one being offered by the web site. Your browser should be checking whether it has expired, and possibly reporting a problem.

The certificates that are stored on your computer are mostly CA certificates, and these usually have a longer period before they expire. Again, your browser should be warning you if validation of a web site depends on an expired certificate.