Report board software problems here

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-30 08:33pm

When I try to connect to the SSL encrypted version of this forum, Firefox 3 betas 4 and 5 both give an error message and won't let me connect:

bbs.stardestroyer.net uses an invalid security certificate.

The certificate is only valid for localhost.

(Error code: ssl_error_bad_cert_domain)

I assume this is due to the increased security features in firefox 3, and the fact that the certificate Mike uses for the encryption only applies to "localhost" and not https://bbs.stardestroyer.net/. Of course, Firefox should give you an option to accept it anyway, which is why I'm submitting a bug report.

PS Mike, do you mind if I give a link to the secured forum when I post the bug on the publicly viewable Mozilla forums?

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-30 08:53pm

So after asking around, I've been told "it's not a bug, it's a feature."

Like I said, one of the features of Firefox 3 is it's more secure, and apparently the designers at Mozilla deliberately removed the "accept certificate anyway" option when it detects an invalid ssl cert. Instead firefox just fullstop won't let you access the site. There is a long way to get around it, so I'd recommend either trying to fix the issue, or if you can't (I don't know a whole lot about SSL certs), add the workaround to the boards FAQ.

I'd still like to post this issue on the Mozillazine forums and try to get the devs to change their minds before Firefox 3 is officially released, and obviously I'd need a link to someplace with an invalid certification so any reader can reproduce the issue themselves.

Post by **Darth Wong** » 2008-03-31 12:38am

That's stupid. There are plenty of websites out there which have mismatched security certificates, and not everyone wants to pay a yearly fee for a certificate that's been signed by Verisign or Thawte. It doesn't help that you need a separate certificate for every subdomain. Even certain servers on ISPs have this problem.

Taking an option like that away from users is just brain-damaged thinking. I suppose it's safer to force people to use non-encrypted communication than to let them choose to override a certificate mismatch on SSL?

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-31 01:34am

Darth Wong wrote:That's stupid. There are plenty of websites out there which have mismatched security certificates, and not everyone wants to pay a yearly fee for a certificate that's been signed by Verisign or Thawte. It doesn't help that you need a separate certificate for every subdomain. Even certain servers on ISPs have this problem.

Taking an option like that away from users is just brain-damaged thinking. I suppose it's safer to force people to use non-encrypted communication than to let them choose to override a certificate mismatch on SSL?

After a bit more asking around, I was told there was already a bug report about the issue here, which is actually a bug for Thunderbird. After reading it, it looks like they aren't going to do anything about it. It was filed back in January for Thunderbird 2, and the 5th beta's release candidate for Firefox 3 released last week still doesn't have any user friendly workaround.

phongn · Post by **phongn** » 2008-03-31 02:00am

Darth Wong wrote:That's stupid. There are plenty of websites out there which have mismatched security certificates, and not everyone wants to pay a yearly fee for a certificate that's been signed by Verisign or Thawte. It doesn't help that you need a separate certificate for every subdomain. Even certain servers on ISPs have this problem.

Mike, have you considered getting a certificate from StartCom? Firefox, Konqueror and Safari support that CA by default, and the certificate is free.

Taking an option like that away from users is just brain-damaged thinking. I suppose it's safer to force people to use non-encrypted communication than to let them choose to override a certificate mismatch on SSL?

Can you regenerate the certificate so that it's pointing at the right domain instead of just localhost in the "Issued To" CN? That might resolve the issue there; I don't think it's an issue that the CA is unrecognized.

Bounty · Post by **Bounty** » 2008-03-31 04:27am

I'm running Beta 4 and there *is* a manual override. In the error page, you should see a blue link to add the current page as an exception. This opens a menu that lets you see the current certificate, add it to the exceptions, and store that exception for future sessions.

The procedure to bypass the certificate has gotten a lot more bloated, but it's still there.

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-31 04:44am

Really? Then maybe it is a bug. Here's what I see:

All I can do is click the OK button, and after that nothing happens. I mean, the message goes away, but the page doesn't go anywhere. If I open a new tab on the link, after the error message the page stays blank.

Bounty · Post by **Bounty** » 2008-03-31 04:54am

I use full-page error messages, so maybe the exception system isn't fully implemented for pop-ups yet. It looked similar to this.

(ETA: ignore the text, the writer's an idiot)

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-31 04:58am

Oh that is fucking awesome.

It looks like since my error stems from the cert not matching the site name, it won't even give me a long way to access it, but since your error is due to Mike signing the cert himself, it does give you a way.

Bounty · Post by **Bounty** » 2008-03-31 05:00am

Dominus Atheos wrote:Oh that is fucking awesome.

It looks like since my error stems from the cert not matching the site name, it won't even give me a long way to access it, but since your error is due to Mike signing the cert himself, it does give you a way.

How is that even possible? Are you sure the bug isn't just that the exceptions button hasn't been added to the pop-up yet?

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-31 05:07am

If you read the link I posted earlier to Bugzilla, you'll see some Mozilla devs explaining to a user that the easy way to get past a bad cert domain error is gone. One says:

You can't override the security warning
from the dialog box anymore, it has to be done with
Tools->Options->Advanced->Encryption->View Certificates in Firefox

and another

No, it's not a temporary behavior. The error message is supposed to be a full stop, and we no longer intend to offer a simple click through.

It's gone, because it was not "convenient", but "insecure", and it encouraged users to simply "don't care" about security, which is a bad thing.

Bounty · Post by **Bounty** » 2008-03-31 05:18am

The one-button clickthrough is gone, but they don't say that the entire bypass has been removed; even the bit you quoted says that accepting a bad certificate for a domain is a one-time procedure.

Dominus Atheos · Post by **Dominus Atheos** » 2008-03-31 05:28am

Bounty wrote:The one-button clickthrough is gone, but they don't say that the entire bypass has been removed; even the bit you quoted says that accepting a bad certificate for a domain is a one-time procedure.

Well yeah, like I said in the first post, there's a workaround, which I actually used. The problem is most users won't know about it, and apparently the Mozilla devs deliberately made it that way. So when Firefox 3 gets released to the general public, any user of it won't be able to access the SSL encrypted version of this forum. So I recommended Mike either try to fix the issue on his end, putting the Tools->Options->Advanced->Encryption->View Certificates workaround in the boards FAQ, or letting me post a link to the site on the Mozillazine forums and see if I can't get the evs to change their minds.

Thanas · Post by **Thanas** » 2008-03-31 11:24am

I am having several board software problems lately. It was all working properly until now and I have not changed my software, so I'd assume the fault lies not on my end.

Several times today, whenever I try to post a response, I am getting "invalid session" errors shown above the reply window.

Also, the board has apperently locked me out several times.

Post by **RogueIce** » 2008-04-01 12:11pm

I don't know if it's the board or maybe the PayPal button, but every time I try to come to the site IE7 freezes on me and I have to close my browser and try again. It's kinda random, too, on how many times I have to try again before it finally works. This only happens if I've opened IE7 again (ie: after starting up, or if I've closed my browser and then bring it back up again, etc.). If I just open a new tab or navigate away there's no problem, assuming I've already gotten SDN to work once while it was open. This happens on the regular site, the encrypted site, and even the low-bandwidth one.

Rogue 9 · Post by **Rogue 9** » 2008-04-08 04:07pm

Search results won't display; the results page loads plain white and won't give me anything else.

Post by **Darth Wong** » 2008-04-10 08:18am

Rogue 9 wrote:Search results won't display; the results page loads plain white and won't give me anything else.

That normally means the search took too long and timed out.

BTW, I'm not sure what happened last night. The server was powered off this morning and there were other signs of a major power outage, like reset clocks and such, but there was no power failure at home and nobody said anything about a long power failure on the news.

Post by **The Yosemite Bear** » 2008-04-10 01:28pm

That's cool, I woke up at about 11 and tried to surf, and couldn't find you guys.

Post by **Darth Wong** » 2008-04-11 02:30pm

phongn wrote:
Darth Wong wrote:That's stupid. There are plenty of websites out there which have mismatched security certificates, and not everyone wants to pay a yearly fee for a certificate that's been signed by Verisign or Thawte. It doesn't help that you need a separate certificate for every subdomain. Even certain servers on ISPs have this problem.
Mike, have you considered getting a certificate from StartCom? Firefox, Konqueror and Safari support that CA by default, and the certificate is free.

Good idea! I just installed it. Let's see if that helps.

PS. It only works on one sub-domain, so I used bbs.stardestroyer.net instead of server.stardestroyer.net, figuring that most people use that one. I'm not sure how I would go about setting up two certs for two different subdomains on the same server. Something to do with the virtual hosting, but I'm not that much of an Apache guru.

Post by **Darth Wong** » 2008-04-11 06:10pm

Looks like StartCom is not a widely recognized CA, at least not out of the box.

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2008-04-15 11:49pm

Server borked again and only just now came back.

Post by **Darth Wong** » 2008-04-15 11:52pm

Um, I think I have a more serious problem this time. The last time this happened, I thought it was just a power glitch. But this time, it looked like the motherboard is starting to act up. It hung twice on IDE detection, then it gave me one long beep and two short beeps, then on the fourth try the CD-ROM drive tray kept going in and out repeatedly while it tried to IDE auto-detect, and then finally on the fifth try it managed to detect the drives and boot the OS.

That is not a good sequence, folks. It seems to me like the MB is starting to fuck itself.

Post by **Mr Bean** » 2008-04-16 12:01am

Darth Wong wrote:
That is not a good sequence, folks. It seems to me like the MB is starting to fuck itself.

Masturbation is a helpful way to relieve stress I thought.

Seriously, might it be time to double-check the ol' backups and start hitting people up for the buy Wong another MB?

Post by **The Yosemite Bear** » 2008-04-16 01:19am

yeah, I was rather annoyed, then I logged off and played CIV IV for a while.

Owch, sorry mike, and I just recovered from a Mobo loss from a failing power supply.

Academia Nut · Post by **Academia Nut** » 2008-04-16 01:57pm

Okay, I got a really weird and nasty looking error. It said I had to delete the /install and /contrib files to get access there for a little while, which sounds bad considering the problems that have been happening. It could be me, but I cleared everything and it still popped up before going away on its own.