https certificate problems?

Use this forum to get help.

https certificate problems?

Postby anon090526 » Mon Oct 19, 2009 9:58 pm

I'm having a new problem, trying to log into my account to do some address count maintenance. I have always used the "secure" https login page.
I use Firefox 3.5.3 on OS X 10.5.8, few add-ons, and nothing recently changed.

The page I'm on shows the url
https://www.spamgourmet.com/index.pl?languageCode=EN

Instead of the Favicon reporting a certificate verified by GoDaddy, I get a message:
"This site does not provide Identity Information.
Your connection to this website is not encrypted".

And instead the lock icon indicating encryption, I get "Warning: This page contains unauthenticated content". I'm reluctant to log in and possibly compromise my SG account.

Poking down through the "more info" screens, it looks like there is a valid certificate issued by godaddy.com 8/7/09, expires 8/11/11. I'm reaching the limits of my knowledge here, maybe SG has turned off encryption on the https protocol for some reason?

At any rate, this used to work, isn't working now, and is broken in a strange-looking way. Could SG administration fix it, or explain it?

I'm holding off accessing my account for now.

Thanks.
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm

Postby Karl-Egon » Tue Oct 20, 2009 10:45 am

Hi anon090526,



at Mon, 12 Oct 2009 I got this email

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

<http://updates.spamgourmet.com.secure.admindatacenter.net/core/id=79639983077-<one of my other SG addresses>-patch391.exe>

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

I asked Syskoll, and he confirmed, that was a phishing attempt.

Did you receive such a mail too?
Did you follow it?

If I try the address https://www.spamgourmet.com/index.pl?languageCode=EN the cert is trustet by GoDaddy till August 2011 ...
Try https://www.spamgourmet.com/index.pl instead ? is that cert valid? It should be the same.



K-E
das immernoch etwas andere forum:_________ http://berliner-nachrichten.eu.steingrueber.info/phpBB3/
Karl-Egon
 
Posts: 34
Joined: Thu Oct 12, 2006 11:06 am
Location: SOL-3-EU-DE

https problems?

Postby anon090526 » Tue Oct 20, 2009 4:47 pm

Karl-Egon wrote:Hi anon090526,

at Mon, 12 Oct 2009 I got this email
Attention!

On October 16, 2009 server upgrade will take place. ...


I asked Syskoll, and he confirmed, that was a phishing attempt.
Did you receive such a mail too? Did you follow it?

If I try the address https://www.spamgourmet.com/index.pl?languageCode=EN the cert is trustet by GoDaddy till August 2011 ...
Try https://www.spamgourmet.com/index.pl instead ? is that cert valid? It should be the same.

K-E

Thanks for the response.
No, I did not receive such a phishing email.

I've tried the two urls you suggested, as well as retrying the one I mentioned. All behave the same -
"This website does not supply identity information
Your connection to this website is not encrypted".

I agree, if I drill down, I see a Godaddy.com certificate is in place with expiration 8/11/11. But the lock icon in the lower right is NOT displayed, and the drill-down displays the message that the page is "partially encrypted", and a bunch of warnings.

To me, that suggests that it's not a certificate problem, despite the title I initially put on this thread, but maybe some page formatting error on the SG https page that forgot to specify encryption for some sub-frame, or something. Just guessing, I'm not familiar with how one creates an htpps page and what could go wrong with that.

Or it could be a problem at my end, but I don't have the knowledge to identify it. I've just tried a couple of other https sites, eBay and another one, and the Favicon & lock icon are displaying as I expect, indicating all is secure. But then I immediately try SG again, and get the broken behavior I described.

The url I use is obtained by going to http://www.spamgourmet.com and clicking the "secure" link at the bottom of the login frame at the left.

Can SG administration identify the problem?

[Edit: Added "NOT" before displayed. Typing too fast.
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm

Postby anon090526 » Sun Oct 25, 2009 3:25 am

Update:
See http://support.mozilla.com/en-US/forum/1/468550
"Firefox 3.5.3 does not trust SSL GoDaddy certificate"

Problem appears to be not with SG, it's with the latest version of Firefox on sites using GoDaddy certs.

I haven't yet resolved how to fix it, probably need to add something manually in FF preferences, but I have to figure out how to do that without doing something stupid.

Pretty bad/misleading job of error messaging in FF, IMO.
Haven't yet, but I'll probably try safari for my short-term solution.
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm

Postby anon090526 » Wed Oct 28, 2009 5:32 pm

Update:

1) Yes, it works in Safari. Lock icon displayed, treats as secure.
Clumsier than FF, but it's a reasonable workaround, I guess.

2) FF just got updated to 3.5.4 on 10/27/09. Unfortunately, that didn't fix the problem. I've posted a new issue on the FF support website, see http://support.mozilla.com/en-US/forum/1/484783?
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm

Postby anon090526 » Thu Oct 29, 2009 2:37 pm

Update:
I got a reply on the Firefox support forum, see
https://support.mozilla.com/en-US/forum/1/484783

Here's what it says:
""""""""""""""""""""""""""""""""""""""""""""""""""""
There is content on that website from unencrypted connections.
You can see that in Tools > Page Info > Media.
In such cases, Firefox will display a broken padlock to indicate a not secure connection.
See http://kb.mozillazine.org/Lock_icon

http://profile.ak.fbcdn.net/object3/498 ... 8_6747.jpg
http://b.static.ak.fbcdn.net/rsrc.php/z ... icgn5p.gif
"""""""""""""""""""""""""""""""""""""""""""""""""""""
Looking at
Tools > Page Info > Media I also see a third http url.
The first above is the small SG logo of a kid eating near the facebook link. The second is a vertical strip of small icons, several of which look like the "become a fan" icon near the facebook link. The third is a small stylized 'f' graphic icon that I don't see in the page, but I associate with facebook.

Jumping to conclusions as usual, I think maybe adding the facebook links to this page broke it in the sense that Firefox considers it to be partially unencrypted and worth warning about. I'm guessing Safari is just less careful about this, not a big surprise.

Assuming I'm right, I would expect SG administration to be in favor of web standards, secure computing, and truth, justice, etc. You do offer a secure login, go to the trouble of buying a certificate, and this page used to be Firefox-clean. Perhaps you can look at how the facebook link was added, or just remove it from the secure login page?

Hmmm ... Now that I think of it, I wouldn't have expected a big overlap of facebook and SG users. I won't go near facebook. But that's JMO, link to it all you want, just don't break SG doing so.

Thanks.
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm

Postby Karl-Egon » Mon Nov 02, 2009 2:41 pm

Hi anon,



thank YOU for documenting your exploration!

I'm still using FF 3.0, because I jump on new versions never directly at the beginning of the publication, but always only if they worked satisfactorily. With FF that is regular the case, if the previous version is not any longer supported.

anon090526 wrote:Looking at
Tools > Page Info > Media I also see a third http url.
The first above is the small SG logo of a kid eating near the facebook link.
The second is a vertical strip of small icons, several of which look like the "become a fan" icon near the facebook link.
The third is a small stylized 'f' graphic icon that I don't see in the page, but I associate with facebook.

If I follow this, I see only two media:
The spam eating kid without any association to facebook
? https://www.spamgourmet.com/stuff/gourmet.png
The vertical flag row for choosing the sites language
? https://www.spamgourmet.com/stuff/flagmap.png

That may result in using NoScript, a FF add-on, where I blocked ALL facebook (and similar) images, because I do not trust them and do not need them. Equal as I block advertisements ...

You can also use AdBlockPlus as a FF add-on, to block page components explicitely.
The secure SG login, you mentioned (https://www.spamgourmet.com/index.pl?languageCode=EN) has an unencrypted Facebook script:
http://static.ak.facebook.com/js/api_li ... .php/en_US
You can block that script (wildcards are allowed). I think, that could help.

I need not to block this script, because I'm blocking Facebook over NoScript at all.

you wrote:Jumping to conclusions as usual, I think maybe adding the facebook links to this page broke it in the sense that Firefox considers it to be partially unencrypted and worth warning about.

That is truely possible. I don't want to figure it out. ;-)

you wrote:I'm guessing Safari is just less careful about this, not a big surprise.

Safari is not a secure browser, indeed. :!:

you wrote:Assuming I'm right, I would expect SG administration to be in favor of web standards, secure computing, and truth, justice, etc. You do offer a secure login, go to the trouble of buying a certificate, and this page used to be Firefox-clean. Perhaps you can look at how the facebook link was added, or just remove it from the secure login page?

The problem may be the facebook link. It is state of the art, to present facebook (and similar) links on public pages. I think, SG will not change their opinion.
      But you can help yourself, blocking unsecure and unnecessary elements.
      That is even the better way to keep your systems clean.
you wrote:Now that I think of it, I wouldn't have expected a big overlap of facebook and SG users.

That can nobody know. I think SG users are not high profession secure net users at all. I think the whole spectrum of net users is also represented as SG users. Also users of social networking ... :roll:



Regards,

K-E
das immernoch etwas andere forum:_________ http://berliner-nachrichten.eu.steingrueber.info/phpBB3/
Karl-Egon
 
Posts: 34
Joined: Thu Oct 12, 2006 11:06 am
Location: SOL-3-EU-DE

Postby anon090526 » Sat Jan 23, 2010 6:06 pm

FWIW, I recently upgraded to Firefox 3.6, and the Favicon is back on the login screen. I didn't look before upgrading, so it's possible something got fixed here at SG recently, or it could have been a FF issue all along.

At this point, I don't know. Just noting that it now appears fixed.

Edit: Just noticed the new thread about Facebook vs. SG, and that the facebook icon seems to be removed as Josh suggested he'd do. So now I'm thinking that was the problem, not FF.

And just for the record, as I said above: Hmmm ... Now that I think of it, I wouldn't have expected a big overlap of facebook and SG users. I won't go near facebook. But that's JMO, link to it all you want, just don't break SG doing so.
anon090526
 
Posts: 18
Joined: Tue May 26, 2009 11:35 pm


Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 21 guests

cron