Jump to content
Have You Played Atari Today?
2600|5200|7800|Lynx|Jaguar|Forums|Store
Warnings about File Attachments - Please Read!
IGNORED

Cadd99

9640News

By 9640News
in TI-99/4A Computers

 Share

Recommended Posts

9640News River Patroller

+9640News

Posted
Posted

Does anyone have a phone number for Eric Firestone or Mike Wright?

 

I'm have been trying to get hold of Eric and he has been missing from Atariage for about 7 months now through multiple emails, without a response.  I'm hoping he was not a victim of Covid.

 

Beery

 

Link to comment
Share on other sites
  • 1 month later...
blackbox Dragonstomper

blackbox

Posted
Posted

It depends on which browser you use. Firefox was the first to throw a tantrum- different browsers deal with revoked certificates in different way and timescales.
The security certificate has not expired- it has been revoked, which is often an error by the issuer (I know of one large website had their certificate revoked as their admin input an English county in the "State" box...the revocation was a month later!).
Two major reasons for revocation are either- the key has leaked or is being misused (oops) or- the users data has changed in someway, eg change of address, control, ownership etc.
The usual recourse is to obtain a new certificate which will have a different serial.
At present I can access the site via Konqueror by ignoring four warnings. Last I heard the Edge browser allowed access but that may have caught up now.
I told Mike Wright about this on 4th November but I gather that Eric is now in charge of the site? Anyway- a month has been and gone and no change.
It's all down to Eric, who is not very active in communicating. Ah well. I'll tell Mike again but there is nothing he can do except chase Eric...

bb

  • Like 2
Link to comment
Share on other sites
blackbox Dragonstomper

blackbox

Posted
Posted

That's the one with a revoked security certificate- are you using the Edge browser then? or a proxy?
Nobody with Firefox will be accessing it....

(You may be able to check the security chain by clicking a padlock in the url bar of your browser).

Oddly you can also access the website using an online proxy (eg onlineproxy.eu) as your browser then only confirms the chain from you to the proxy server!

take care. bb

  • Like 1
Link to comment
Share on other sites
blackbox Dragonstomper

blackbox

Posted
Posted

Cheers.

Android overall seems to be a bit more resistant to certificate revocations and expired roots.
I will give the SSLLabs report below which confirms what my desktop browsers tell me....
The Cadd cert that is revoked is the "leaf certificate"

My Firefox tells me:
"Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)"

ssllabs.com tells me: Overall rating F
This server's certificate is not trusted
Revocation status Revoked INSECURE
Trusted No NOT TRUSTED
Issuer Sectigo RSA Domain Validation Secure Server CA
Revocation information OCSP OCSP: http://ocsp.sectigo.com
Sent by server caddelectronics.com



additionally:
Server Key and Certificate #1 Subject *.web-hosting.com
Mismatch Trusted No NOT TRUSTED
Not trusted (invalid certificate)
Server hostname server210-1.web-hosting.com


OCSP stapling No


A useful site which will tell you when a secure site may not be and when a site is far more secure than it has to be given its content.....

bb

Link to comment
Share on other sites
Schmitzi Quadrunner

+Schmitzi

Posted
Posted
3 hours ago, blackbox said:

That's the one with a revoked security certificate- are you using the Edge browser then? or a proxy?
Nobody with Firefox will be accessing it....

(You may be able to check the security chain by clicking a padlock in the url bar of your browser).

Oddly you can also access the website using an online proxy (eg onlineproxy.eu) as your browser then only confirms the chain from you to the proxy server!

take care. bb

 

Hi, the newer links works for me, I think they´ve just changed the domain somewhen.

Also my actual FireFox in Win8.1 says "Secure".

thx

 

Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted
1 hour ago, blackbox said:

The Cadd cert that is revoked is the "leaf certificate"

The end of a certificate chain (or tree in this context,) from the certificate authority (CA root) through any intermediate certificate, is a "leaf."  So the term carries no significance in this scenario, other than to say this is is not a root or an intermediate.

Link to comment
Share on other sites
mizapf Quadrunner

+mizapf

Posted
Posted

The Firefox guys somehow manage to upset me more and more.

In former versions you had a button "Continue anyway" or similar. This is my very own decision to accept a broken certificate chain or not.

Then they dropped the FTP support because of the lack of security (even for anonymous access).

Try to force you to use HTTPS.

 

I am old enough to decide.

  • Like 4
  • Thanks 2
Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted
28 minutes ago, Asmusr said:

 https://caddelectronics.com/ seems to have a valid https certificate. If you're a website owner and need a https certificate, you can one for free from 'Let's Encrypt'.

Free is nice, but it requires replacement every three months.  I stick with regular CAs and pay my $19 for a year as needed (though my multi-domain wildcard is around $200.)

 

In any case, I decoded the certificate being presented.  From what I can tell, the problem is with the webhost and possibly Firefox.  The default site issues a certificate for the webhost, but it is revoked, as shown here:

 

3 hours ago, blackbox said:

Server Key and Certificate #1 Subject *.web-hosting.com
Mismatch Trusted No NOT TRUSTED
Not trusted (invalid certificate)
Server hostname server210-1.web-hosting.com

 

If I set the SNI (server name indication, how TLS selects a secure host on an IP hosting multiple websites,) manually in OpenSSL, I get CADD's secure certificate.

  

openssl s_client -connect caddelectronics.com:443 -servername caddelectronics.com

Returns: 

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=caddelectronics.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

The rest gives its certificate.  When I decode that cert, I get: 

ertificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           8d:4a:9d:07:84:d1:96:b0:48:a4:bc:11:29:e0:35:4c
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
       Validity
           Not Before: Aug  1 00:00:00 2020 GMT
           Not After : Nov  3 00:00:00 2022 GMT
       Subject: CN=caddelectronics.com
(trimmed)
           X509v3 Subject Alternative Name:
               DNS:caddelectronics.com, DNS:www.caddelectronics.com
(trimmed)

 

So, either Firefox is not asking for the correct information in the TLS ClientHello, or the server is ignoring it.  Irrespective, it appears Internet Explorer 11, Edge and Edge Beta, and Opera can get to the site just fine.

 

On another note, even though the certificate has a validity period of two years, as it was issued before September 1, 2020, it should still be considered valid by Apple and Google products.

 

Link to comment
Share on other sites
blackbox Dragonstomper

blackbox

Posted
Posted

There are two quite separate issues.

The name mismatch is not involved- this will throw an error if your browser does not use SNI (eg my old Konqueror).

If your browser uses SNI then the revoked certificate comes into play and the name mismatch is not seen. Different browsers and operating systems handle revocations differently and with different timescales.

The report from SSLLABS is the important one to look at to check the full status of the site and its certificates. This clearly shows that a certificate has been revoked. Run the test from ssllabs yourself on any website using https.

Browsers that are happy with the website are not giving you the protection that you think you have- especially when they fail to even warn you. This does not mean - in this case- that you are at risk, but you might be- it may indicate that a misused certificate that is revoked is not being brought to your attention. Man in the middle attacks are by no means an everyday occurrence- but if https is being forced on us (as it is) should the protection be degraded (as it is)?

Bottom line on this one is- if the site works in your browser, no problem. If (with SSLLABS telling you there is a revoked certificate) you are happy sending information that may be harmful to you, go ahead. If you are only seeking information then https is in almost every case overkill anyway and there is almost no issue at all....

The software (and website content) side of CADD is backed up many times by Mike and also off-site in a different State. It is sad that Mike no longer has access to the website and Eric is not too good at responding to queries.

Whatever- enjoy your TI and have a peaceful New Year... bb

Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted (edited)
1 hour ago, blackbox said:

The report from SSLLABS is the important one to look at to check the full status of the site and its certificates. This clearly shows that a certificate has been revoked. Run the test from ssllabs yourself on any website using https.

Yes, the main certificate for the web host on that IP address.  It has been revoked.  But the proper certificate has not.  I suspect a misconfiguration at the web host, but this is a failure mode I have never had to resolve.  See my update in the following post.

 

1 hour ago, blackbox said:

Bottom line on this one is- if the site works in your browser, no problem. If (with SSLLABS telling you there is a revoked certificate) you are happy sending information that may be harmful to you, go ahead. If you are only seeking information then https is in almost every case overkill anyway and there is almost no issue at all....

But that is not what is happening.  Look at the screen shot from Edge below.  As well, when I explicitly set the ServerName option in OpenSSL, I retrieve a completely different certificate.  I get the same results with IE and Opera.  Whatever request method SSLLabs and the Firefox browser are using to request caddelectronics.com is being ignored by the web server.

 

Clipboard01.thumb.png.87ad256a8100936cf3a7f0235386f557.png

 

 

Edited by OLD CS1
Digging deeper, SSLLabs is reporting correctly. See below post on why IE, Edge, and Opera are naughty little boys and will be getting coal in their stockings.
Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted

I have to to back-track on this.  I have taken a deeper dig, and we may have discovered a flaw in how our browsers detect revocation.

 

I stick to the Opera, Edge, and IE statements above, also stipulate that Firefox is rejecting the certificate, as is SSLLabs.

 

However, neither SSLLabs nor Firefox appear to be reporting on the correct certification.  To wit:

 

The web server default certificate: 

>openssl x509 -noout -text -in web.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d8:9e:af:28:18:4e:98:1a:84:c8:54:b7:82:a2:ec:9e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
        Validity
            Not Before: May  7 00:00:00 2020 GMT
            Not After : Apr  5 23:59:59 2022 GMT
        Subject: CN = *.web-hosting.com

(trimmed)


>openssl ocsp -no_nonce -url http://ocsp.sectigo.com -issuer SectigoRSADomainValidationSecureServerCA.crt -cert web.cer
Response verify OK
web.cer: good
        This Update: Dec  9 06:39:44 2021 GMT
        Next Update: Dec 16 06:39:44 2021 GMT

 

 

Now the CADD Electronics certificate: 

>openssl x509 -noout -text -in cadd.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8d:4a:9d:07:84:d1:96:b0:48:a4:bc:11:29:e0:35:4c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
        Validity
            Not Before: Aug  1 00:00:00 2020 GMT
            Not After : Nov  3 00:00:00 2022 GMT
        Subject: CN = caddelectronics.com

(trimmed)

>openssl ocsp -no_nonce -url http://ocsp.sectigo.com -issuer SectigoRSADomainValidationSecureServerCA.crt -cert cadd.cer
Response verify OK
cadd.cer: revoked
        This Update: Dec 10 11:41:03 2021 GMT
        Next Update: Dec 17 11:41:03 2021 GMT
        Revocation Time: Oct 28 12:38:41 2021 GMT

 

 

This means that IE, Edge, and Opera are accepting the revoked caddelectronics.com certificate (apparently) because the web-hosting.com certificate is good.  However, Firefox and SSLLabs appear to be rejecting the revoked caddelectronics.com certificate, but SSLLabs looks like it is reporting on the web-hosting.com certificate. (I went to SSLLabs myself and found that it is indeed looking at the caddelectronics.com certificate.)

 

IE, Edge, and Opera appear to be behaving naughtily.

  • Like 2
  • Thanks 1
Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted

 

16 hours ago, OLD CS1 said:

This means that IE, Edge, and Opera are accepting the revoked caddelectronics.com certificate (apparently) because the web-hosting.com certificate is good.  However, Firefox and SSLLabs appear to be rejecting the revoked caddelectronics.com certificate,

Holy shit.  I submitted my data to the Microsoft and Opera security teams.  Opera responded:

 

Quote

Thanks for getting in touch. This is how Chromium, on which Opera is built, (not) supports certificate revocations.


Explanations can be found e.g. in comment 5 here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1256670

Best regards,
Opera Security Team

 

 

Thus, apparently anything built on the Chromium engine will behave in this manner (IE surprises me because I thought it was using Microsoft's Trident engine.)  If the default host of an SSL IP address has a valid certificate, a revoked certificate beneath it will be accepted.  Firefox is doing what it is supposed to do.

 

In the first post of the Chromium bug thread, the author sends you to the link https://revoked-rsa-dv.ssl.com/  This opens in Opera, IE, and Edge just fine, but Firefox rejects it as revoked.  This is the exact same scenario as with caddelectronics.com.

 

This is huge.  Really huge, and it has apparently been going on for years.  In comment 5, there is a link to a post from 2014 discussing the revocation problem and some differences between OCSP and CRL.  I cannot agree that the single-site nature of OCSP is a problem, other than that an OCSP query will be sent to CAs by a browser for every secure site visited.  As far as I am concerned, more requests and back-end look-ups are and should be the problem of the certificate authority to provide a faster and more secure experience for the user.

 

OTOH, if CRLs are reaching such a huge size -- and the articles referenced are from the Heartbleed era in which hundreds of thousands of certificates had to be re-issued -- then the CRLs should be treated as content and sent out via content distribution networks if the CAs want to reduce their bandwidth costs.

 

Anyway, I have shitted up this thread enough.  Bottom line:

 

caddelectronics.com secure certificate has been revoked.  Firefox is correctly rejecting access to the site while other browsers are erroneously allowing access.  The guys at CADD need to fix their secure certificate, irrespective of it appearing to work.

  • Like 5
Link to comment
Share on other sites
  • 8 months later...
jbdigriz Dragonstomper

jbdigriz

Posted
Posted

Ran into this issue today with the caddelectronics.com domain,  just when I was about to plug CADD in another venue.  Turning off security.OCSP.enable might get me in, but not going to do that. Looks like an issue with the hosting provider, circumventable with a Let's Encrypt cert, for which renewal is easily automated, but I note also that Google search reports CADD as "temporarily closed".

 

Hope this can be sorted out soon and the 99/5C will be a thing.

jbdigriz

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
AtariAge
Forums
Store
General
Follow AtariAge

Copyright ©1998-2023 AtariAge

×
×
  • Create New...