1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Interesting combo

Discussion in 'General Questions' started by Andy, Jul 21, 2015.

  1. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    I installed beta El Capitan on my Macbook Pro, trying to get here with Chrome, security alert says this site Cert is not valid/not high enough encryption for HTTPS access and the site wont load. Get here just fine with Yosemite and Chrome on iOS 8
     
  2. Biker

    Biker Administrator Staff Member

    The beta lies.

    Certificate is secured via PKCS #1 SHA-256 With RSA Encryption
     
  3. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    I think it's actually Chrome acting funny through El Capitan:

    Here is the text when I click on the red lock from 64 bit Chrome on El Capitan:



    This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

    The identity of this website has been verified by COMODO RSA Domain Validation Secure Server CA but does not have public audit records.

    The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

    Your connection to www.globalaffairs.org is encrypted with obsolete cryptography.

    The connection uses TLS 1.2.

    The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.


    Here's the text from the green lock on Yosemite:


    Your connection to this site is private.

    The identity of this website has been verified by COMODO RSA Domain Validation Secure Server CA. No Certificate Transparency information was supplied by the server.

    Your connection to Global Affairs is encrypted using an obsolete cipher suite.

    The connection uses TLS 1.2.

    The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
     
  4. ethics

    ethics Pomp-Dumpster Staff Member

    Same here. Same os. This is the issue I sent you an email about Tom. I just use safari though and stopped complaining. But if it's more than one person....
     
  5. Biker

    Biker Administrator Staff Member

    Security tweaks | Global Affairs

    I could most certainly turn off TLS 1.2.

    And then most of GA's users would have issues connecting to the site.

    Until a new standard is adopted and utilized across the Internet, those morons at Google need to concentrate on cleaning their own house and browser.
     
  6. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    Don't go changin anything on my account. Im submitting it through as a bug to the beta report as well
     
  7. Biker

    Biker Administrator Staff Member

    I'm not going to change anything.

    The problem with Google complaining about TLS 1.2 is there's nothing to replace it yet. TLS 1.3 is still in draft format and lord knows when the RFC will be finalized. Google is doing nothing more than fear mongering as there isn't anything that can take the place of TLS 1.2. It's all we have right now and until TLS 1.3 is finalized, Google needs to STFU.
     
  8. Biker

    Biker Administrator Staff Member

  9. Allene

    Allene Registered User

    Waaaay over my head! :)
     
  10. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    More info on my issue here with Chrome/El Capitan Beta for info purposes.....

    It's a double whammy mexican standoff between Chrome's latest build and Apple El Capitan Beta.. and I don't see Chrome/Google blinking.

    OS X El Capitan is a Buggy One, So What Can an App Developer Do? - The New Stack


    It's been reported by/to Chrome here:

    Issue 499506 - chromium - SHA1 warning fires on every site with a cert valid past Jan 1 2016 - An open-source project to help move the web forward. - Google Project Hosting

    Google also reports here they are doing it on purpose with any cert that has an expiration date after 1 January 2017 (GA's cert here is set to expire 6 March 2017)

    Google Online Security Blog: Gradually sunsetting SHA-1


    Here is another view of the same thing I see when trying to log in here with Chrome and El Capitan.

    Engine Yard Subdomains Show SSL Warnings – Engine Yard Developer Center

    Currently Chrome-based browsers with this build have zero ability to let the user ignore the lockout and continue to the site as they did in the past, the "proceed" button and hidden code appears to be no longer available.
     
  11. ethics

    ethics Pomp-Dumpster Staff Member

    Fuck Google then. Safaris is actually decent in El Capitane.
     
  12. Biker

    Biker Administrator Staff Member

    Yep, and we're getting bit by that bug.

    Our certificate was signed using SHA-2 and was a 2 year issue (well under the 38 month mandate). Complaining about the expiration date without taking into account when it was issued is going to result in a LOT of unhappy admins beating Google up.

    Edit -- I just fired up Chrome and tested the site. Certificate showed a nice pretty shade of green to me (in Windows 10).

    I'll double check the cipher encryptions again to see if further tweaking can be done, but I don't think it's possible without affecting a lot of older systems that can't utilize the newer cipher routines.
     
  13. ethics

    ethics Pomp-Dumpster Staff Member

    You tried this under Mac? Because as Andy pointed out, the issue is with Mac's new OS, Chrome, and certification.
     
  14. Biker

    Biker Administrator Staff Member

    Nope. No machine that's running Apple products. I assumed it was a Chrome issue, and not the combination of the two. My bad.
     
    ethics likes this.
  15. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    And that's part of the bug/issue/whatever, it seems to be balking about the connection encryption type..

    The cert here when accessing with Chrome on a Mac (On both El Capitan AND Yosemite) shows the connection is encrypted with only SHA-1

    This is what the cert says on my Mac with Yosemite

    With Chrome on El Capitan:

     
  16. Biker

    Biker Administrator Staff Member

    That's because the root CA can communicate via SHA-1, which should never be an issue. This is where the bug is coming into play. The certificate itself was created via SHA-2.

    I'll double check with the issuing authority to see if they have updated intermediate certificates to clear the error.
     
  17. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    FWIW, latest El Capitan Beta build now allows the cert here to be seen as a "green" lock and I can get back in through Chrome.
     

Share This Page