+9640News Posted October 15, 2021 Share Posted October 15, 2021 Does anyone have a phone number for Eric Firestone or Mike Wright? I'm have been trying to get hold of Eric and he has been missing from Atariage for about 7 months now through multiple emails, without a response. I'm hoping he was not a victim of Covid. Beery Quote Link to comment Share on other sites More sharing options...
+9640News Posted October 15, 2021 Author Share Posted October 15, 2021 Made contact with Eric on Linkedin. 9 Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 10, 2021 Share Posted December 10, 2021 Is Cad99 offline ? 1 Quote Link to comment Share on other sites More sharing options...
blackbox Posted December 10, 2021 Share Posted December 10, 2021 It depends on which browser you use. Firefox was the first to throw a tantrum- different browsers deal with revoked certificates in different way and timescales. The security certificate has not expired- it has been revoked, which is often an error by the issuer (I know of one large website had their certificate revoked as their admin input an English county in the "State" box...the revocation was a month later!). Two major reasons for revocation are either- the key has leaked or is being misused (oops) or- the users data has changed in someway, eg change of address, control, ownership etc. The usual recourse is to obtain a new certificate which will have a different serial. At present I can access the site via Konqueror by ignoring four warnings. Last I heard the Edge browser allowed access but that may have caught up now. I told Mike Wright about this on 4th November but I gather that Eric is now in charge of the site? Anyway- a month has been and gone and no change. It's all down to Eric, who is not very active in communicating. Ah well. I'll tell Mike again but there is nothing he can do except chase Eric... bb 2 Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 10, 2021 Share Posted December 10, 2021 It´s on a new site: https://caddelectronics.com/ 1 Quote Link to comment Share on other sites More sharing options...
blackbox Posted December 10, 2021 Share Posted December 10, 2021 That's the one with a revoked security certificate- are you using the Edge browser then? or a proxy? Nobody with Firefox will be accessing it.... (You may be able to check the security chain by clicking a padlock in the url bar of your browser). Oddly you can also access the website using an online proxy (eg onlineproxy.eu) as your browser then only confirms the chain from you to the proxy server! take care. bb 1 Quote Link to comment Share on other sites More sharing options...
RickyDean Posted December 10, 2021 Share Posted December 10, 2021 I'm using Firefox on my android. Clicked on Schmitzi's link and went right to it. 1 Quote Link to comment Share on other sites More sharing options...
blackbox Posted December 10, 2021 Share Posted December 10, 2021 Cheers. Android overall seems to be a bit more resistant to certificate revocations and expired roots. I will give the SSLLabs report below which confirms what my desktop browsers tell me.... The Cadd cert that is revoked is the "leaf certificate" My Firefox tells me: "Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)" ssllabs.com tells me: Overall rating F This server's certificate is not trusted Revocation status Revoked INSECURE Trusted No NOT TRUSTED Issuer Sectigo RSA Domain Validation Secure Server CA Revocation information OCSP OCSP: http://ocsp.sectigo.com Sent by server caddelectronics.com additionally: Server Key and Certificate #1 Subject *.web-hosting.com Mismatch Trusted No NOT TRUSTED Not trusted (invalid certificate) Server hostname server210-1.web-hosting.com OCSP stapling No A useful site which will tell you when a secure site may not be and when a site is far more secure than it has to be given its content..... bb Quote Link to comment Share on other sites More sharing options...
+Schmitzi Posted December 10, 2021 Share Posted December 10, 2021 3 hours ago, blackbox said: That's the one with a revoked security certificate- are you using the Edge browser then? or a proxy? Nobody with Firefox will be accessing it.... (You may be able to check the security chain by clicking a padlock in the url bar of your browser). Oddly you can also access the website using an online proxy (eg onlineproxy.eu) as your browser then only confirms the chain from you to the proxy server! take care. bb Hi, the newer links works for me, I think they´ve just changed the domain somewhen. Also my actual FireFox in Win8.1 says "Secure". thx Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 10, 2021 Share Posted December 10, 2021 1 hour ago, blackbox said: The Cadd cert that is revoked is the "leaf certificate" The end of a certificate chain (or tree in this context,) from the certificate authority (CA root) through any intermediate certificate, is a "leaf." So the term carries no significance in this scenario, other than to say this is is not a root or an intermediate. Quote Link to comment Share on other sites More sharing options...
+mizapf Posted December 10, 2021 Share Posted December 10, 2021 The Firefox guys somehow manage to upset me more and more. In former versions you had a button "Continue anyway" or similar. This is my very own decision to accept a broken certificate chain or not. Then they dropped the FTP support because of the lack of security (even for anonymous access). Try to force you to use HTTPS. I am old enough to decide. 4 2 Quote Link to comment Share on other sites More sharing options...
HOME AUTOMATION Posted December 10, 2021 Share Posted December 10, 2021 ...And If I weren't immature enough to decide for myself!? ...I wouldn't be as old as I am!? 2 Quote Link to comment Share on other sites More sharing options...
Asmusr Posted December 10, 2021 Share Posted December 10, 2021 (edited) https://caddelectronics.com/ seems to have a valid https certificate. If you're a website owner and need a https certificate, you can one for free from 'Let's Encrypt'. Edited December 10, 2021 by Asmusr 3 Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 10, 2021 Share Posted December 10, 2021 28 minutes ago, Asmusr said: https://caddelectronics.com/ seems to have a valid https certificate. If you're a website owner and need a https certificate, you can one for free from 'Let's Encrypt'. Free is nice, but it requires replacement every three months. I stick with regular CAs and pay my $19 for a year as needed (though my multi-domain wildcard is around $200.) In any case, I decoded the certificate being presented. From what I can tell, the problem is with the webhost and possibly Firefox. The default site issues a certificate for the webhost, but it is revoked, as shown here: 3 hours ago, blackbox said: Server Key and Certificate #1 Subject *.web-hosting.com Mismatch Trusted No NOT TRUSTED Not trusted (invalid certificate) Server hostname server210-1.web-hosting.com If I set the SNI (server name indication, how TLS selects a secure host on an IP hosting multiple websites,) manually in OpenSSL, I get CADD's secure certificate. openssl s_client -connect caddelectronics.com:443 -servername caddelectronics.com Returns: depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/CN=caddelectronics.com i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services The rest gives its certificate. When I decode that cert, I get: ertificate: Data: Version: 3 (0x2) Serial Number: 8d:4a:9d:07:84:d1:96:b0:48:a4:bc:11:29:e0:35:4c Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA Validity Not Before: Aug 1 00:00:00 2020 GMT Not After : Nov 3 00:00:00 2022 GMT Subject: CN=caddelectronics.com (trimmed) X509v3 Subject Alternative Name: DNS:caddelectronics.com, DNS:www.caddelectronics.com (trimmed) So, either Firefox is not asking for the correct information in the TLS ClientHello, or the server is ignoring it. Irrespective, it appears Internet Explorer 11, Edge and Edge Beta, and Opera can get to the site just fine. On another note, even though the certificate has a validity period of two years, as it was issued before September 1, 2020, it should still be considered valid by Apple and Google products. Quote Link to comment Share on other sites More sharing options...
blackbox Posted December 10, 2021 Share Posted December 10, 2021 There are two quite separate issues. The name mismatch is not involved- this will throw an error if your browser does not use SNI (eg my old Konqueror). If your browser uses SNI then the revoked certificate comes into play and the name mismatch is not seen. Different browsers and operating systems handle revocations differently and with different timescales. The report from SSLLABS is the important one to look at to check the full status of the site and its certificates. This clearly shows that a certificate has been revoked. Run the test from ssllabs yourself on any website using https. Browsers that are happy with the website are not giving you the protection that you think you have- especially when they fail to even warn you. This does not mean - in this case- that you are at risk, but you might be- it may indicate that a misused certificate that is revoked is not being brought to your attention. Man in the middle attacks are by no means an everyday occurrence- but if https is being forced on us (as it is) should the protection be degraded (as it is)? Bottom line on this one is- if the site works in your browser, no problem. If (with SSLLABS telling you there is a revoked certificate) you are happy sending information that may be harmful to you, go ahead. If you are only seeking information then https is in almost every case overkill anyway and there is almost no issue at all.... The software (and website content) side of CADD is backed up many times by Mike and also off-site in a different State. It is sad that Mike no longer has access to the website and Eric is not too good at responding to queries. Whatever- enjoy your TI and have a peaceful New Year... bb Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 10, 2021 Share Posted December 10, 2021 (edited) 1 hour ago, blackbox said: The report from SSLLABS is the important one to look at to check the full status of the site and its certificates. This clearly shows that a certificate has been revoked. Run the test from ssllabs yourself on any website using https. Yes, the main certificate for the web host on that IP address. It has been revoked. But the proper certificate has not. I suspect a misconfiguration at the web host, but this is a failure mode I have never had to resolve. See my update in the following post. 1 hour ago, blackbox said: Bottom line on this one is- if the site works in your browser, no problem. If (with SSLLABS telling you there is a revoked certificate) you are happy sending information that may be harmful to you, go ahead. If you are only seeking information then https is in almost every case overkill anyway and there is almost no issue at all.... But that is not what is happening. Look at the screen shot from Edge below. As well, when I explicitly set the ServerName option in OpenSSL, I retrieve a completely different certificate. I get the same results with IE and Opera. Whatever request method SSLLabs and the Firefox browser are using to request caddelectronics.com is being ignored by the web server. Edited December 10, 2021 by OLD CS1 Digging deeper, SSLLabs is reporting correctly. See below post on why IE, Edge, and Opera are naughty little boys and will be getting coal in their stockings. Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 10, 2021 Share Posted December 10, 2021 I have to to back-track on this. I have taken a deeper dig, and we may have discovered a flaw in how our browsers detect revocation. I stick to the Opera, Edge, and IE statements above, also stipulate that Firefox is rejecting the certificate, as is SSLLabs. However, neither SSLLabs nor Firefox appear to be reporting on the correct certification. To wit: The web server default certificate: >openssl x509 -noout -text -in web.cer Certificate: Data: Version: 3 (0x2) Serial Number: d8:9e:af:28:18:4e:98:1a:84:c8:54:b7:82:a2:ec:9e Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA Validity Not Before: May 7 00:00:00 2020 GMT Not After : Apr 5 23:59:59 2022 GMT Subject: CN = *.web-hosting.com (trimmed) >openssl ocsp -no_nonce -url http://ocsp.sectigo.com -issuer SectigoRSADomainValidationSecureServerCA.crt -cert web.cer Response verify OK web.cer: good This Update: Dec 9 06:39:44 2021 GMT Next Update: Dec 16 06:39:44 2021 GMT Now the CADD Electronics certificate: >openssl x509 -noout -text -in cadd.cer Certificate: Data: Version: 3 (0x2) Serial Number: 8d:4a:9d:07:84:d1:96:b0:48:a4:bc:11:29:e0:35:4c Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA Validity Not Before: Aug 1 00:00:00 2020 GMT Not After : Nov 3 00:00:00 2022 GMT Subject: CN = caddelectronics.com (trimmed) >openssl ocsp -no_nonce -url http://ocsp.sectigo.com -issuer SectigoRSADomainValidationSecureServerCA.crt -cert cadd.cer Response verify OK cadd.cer: revoked This Update: Dec 10 11:41:03 2021 GMT Next Update: Dec 17 11:41:03 2021 GMT Revocation Time: Oct 28 12:38:41 2021 GMT This means that IE, Edge, and Opera are accepting the revoked caddelectronics.com certificate (apparently) because the web-hosting.com certificate is good. However, Firefox and SSLLabs appear to be rejecting the revoked caddelectronics.com certificate, but SSLLabs looks like it is reporting on the web-hosting.com certificate. (I went to SSLLabs myself and found that it is indeed looking at the caddelectronics.com certificate.) IE, Edge, and Opera appear to be behaving naughtily. 2 1 Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 11, 2021 Share Posted December 11, 2021 16 hours ago, OLD CS1 said: This means that IE, Edge, and Opera are accepting the revoked caddelectronics.com certificate (apparently) because the web-hosting.com certificate is good. However, Firefox and SSLLabs appear to be rejecting the revoked caddelectronics.com certificate, Holy shit. I submitted my data to the Microsoft and Opera security teams. Opera responded: Quote Thanks for getting in touch. This is how Chromium, on which Opera is built, (not) supports certificate revocations. Explanations can be found e.g. in comment 5 here: https://bugs.chromium.org/p/chromium/issues/detail?id=1256670 Best regards, Opera Security Team Thus, apparently anything built on the Chromium engine will behave in this manner (IE surprises me because I thought it was using Microsoft's Trident engine.) If the default host of an SSL IP address has a valid certificate, a revoked certificate beneath it will be accepted. Firefox is doing what it is supposed to do. In the first post of the Chromium bug thread, the author sends you to the link https://revoked-rsa-dv.ssl.com/ This opens in Opera, IE, and Edge just fine, but Firefox rejects it as revoked. This is the exact same scenario as with caddelectronics.com. This is huge. Really huge, and it has apparently been going on for years. In comment 5, there is a link to a post from 2014 discussing the revocation problem and some differences between OCSP and CRL. I cannot agree that the single-site nature of OCSP is a problem, other than that an OCSP query will be sent to CAs by a browser for every secure site visited. As far as I am concerned, more requests and back-end look-ups are and should be the problem of the certificate authority to provide a faster and more secure experience for the user. OTOH, if CRLs are reaching such a huge size -- and the articles referenced are from the Heartbleed era in which hundreds of thousands of certificates had to be re-issued -- then the CRLs should be treated as content and sent out via content distribution networks if the CAs want to reduce their bandwidth costs. Anyway, I have shitted up this thread enough. Bottom line: caddelectronics.com secure certificate has been revoked. Firefox is correctly rejecting access to the site while other browsers are erroneously allowing access. The guys at CADD need to fix their secure certificate, irrespective of it appearing to work. 5 Quote Link to comment Share on other sites More sharing options...
atrax27407 Posted December 11, 2021 Share Posted December 11, 2021 It is FireFox problem. Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 11, 2021 Share Posted December 11, 2021 3 hours ago, atrax27407 said: It is FireFox problem. Firefox is doing exactly what it is supposed to do. 3 Quote Link to comment Share on other sites More sharing options...
WhataKowinkydink Posted December 13, 2021 Share Posted December 13, 2021 Can only access the site via Chrome. Glad to see CaDD is still around. Quote Link to comment Share on other sites More sharing options...
Reciprocating Bill Posted December 13, 2021 Share Posted December 13, 2021 The Mac version of Chrome also rejects the site due to its expired certificate. Quote Link to comment Share on other sites More sharing options...
+OLD CS1 Posted December 13, 2021 Share Posted December 13, 2021 2 hours ago, Reciprocating Bill said: The Mac version of Chrome also rejects the site due to its expired certificate. I am curious: does the browser indicate the certificate is expired or revoked? Quote Link to comment Share on other sites More sharing options...
Reciprocating Bill Posted December 13, 2021 Share Posted December 13, 2021 (edited) NET::ERR_CERT_REVOKED Edited December 13, 2021 by Reciprocating Bill 2 2 Quote Link to comment Share on other sites More sharing options...
jbdigriz Posted August 26, 2022 Share Posted August 26, 2022 Ran into this issue today with the caddelectronics.com domain, just when I was about to plug CADD in another venue. Turning off security.OCSP.enable might get me in, but not going to do that. Looks like an issue with the hosting provider, circumventable with a Let's Encrypt cert, for which renewal is easily automated, but I note also that Google search reports CADD as "temporarily closed". Hope this can be sorted out soon and the 99/5C will be a thing. jbdigriz Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.