Not Secure
-
When I try to open this site with old FireFox (44 or older), I get an error message:
What the fuck is that security crap doing again? How can I trick the old FuckingFuck to connect to this site?
-
@BernieTheBernie said in Not Secure:
What the fuck is that security crap doing again? How can I trick the old FuckingFuck to connect to this site?
Sounds like dld Firefox has the old issuer certificate for Let's Encrypt, so it's correctly failed.
Update Firefox (which is the correct answer) or get hold of the newer certificate and install it.
-
@BernieTheBernie said in Not Secure:
What the fuck is that security crap doing again? How can I trick the old FuckingFuck to connect to this site?
I'm guessing that FF is holding on to the old security configuration somehow despite the host having updated. (I've checked the expiry dates and none of the current issuers in the trust chain are close to expiring.) Either that or it's picking up some sort of proxy that's fucked up, and that's ignored by other browsers.
You'll need to examine the chain of certificates up to the root to be sure. It should be (as of time of writing):
-
@loopback0 said in Not Secure:
@BernieTheBernie said in Not Secure:
What the fuck is that security crap doing again? How can I trick the old FuckingFuck to connect to this site?
Sounds like dld Firefox has the old issuer certificate for Let's Encrypt, so it's correctly failed.
Update Firefox (which is the correct answer) or get hold of the newer certificate and install it.
Can @Lorne-Kates access the site anymore?
-
And just found the following article:
Will do the needful somewhen after lunch.
Burp.
-
@BernieTheBernie Update your browser: https://twitter.com/Scott_Helme/status/1443293844292919304
-
Oh great, even
https://valid-isrgrootx1.letsencrypt.org/
produces that error.I won't update FF. Those old versions can make use of my proxy.pac file which offers 3 switchable levels of filtering. Version 88 fails at level switching, but at least accepts the file.
-
Chain of Trust
Root Certificates Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1. Active ISRG Root X1 (RSA...
-
-
@BernieTheBernie said in Not Secure:
Ah,
, solved.
Had to downloadisrgrootx1.derfromhttps://letsencrypt.org/certificates/from the page linked by @loopback0
Next, in FF, go to Options, Advanced, Certificates, View Certificates. That opens another dialog, there go to the Authorities tab, click the Import button, and import that file.
-
@BernieTheBernie Firefox maintains its own certificate store, so one of the disadvantages of sticking with an old version is that you miss out on its root CA updates.
Firefox 49 onwards can be set to check the Windows CA store too - although I've not looked if that would have helped in this scenario or not.
-
Heh, I just encountered this in PostMan, apparently it needs updatin'...
-
@Tsaukpaetra Already Xmas at your place?
-
-
@BernieTheBernie said in Not Secure:
@Tsaukpaetra Already Xmas at your place?
Xmas is only on the 25th.
-
@BernieTheBernie well that fixes the cert issue, but not the "your browser is RCEable by any random driveby website/ad/link" problem. But if you don't care about that...
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
-
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
-
@Tsaukpaetra said in Not Secure:
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
Oh that's fun
-
@sloosecannon said in Not Secure:
@Tsaukpaetra said in Not Secure:
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
Oh that's fun
-
@Zecc said in Not Secure:
@sloosecannon said in Not Secure:
@Tsaukpaetra said in Not Secure:
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
Oh that's fun
-
@Jaloopa said in Not Secure:
@Zecc said in Not Secure:
@sloosecannon said in Not Secure:
@Tsaukpaetra said in Not Secure:
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
Oh that's fun
-
@Zecc said in Not Secure:
@sloosecannon said in Not Secure:
@Tsaukpaetra said in Not Secure:
@sloosecannon said in Not Secure:
fakeedit oh yeah YIKES there are a WHOLE LOT of vulns
Yeah I especially like the addressbar overlaying abilities.
Oh that's fun
If you want the tag closed, you can close it yourself, dammit
-
Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs
no