The Firing Line Forums

Go Back   The Firing Line Forums > Forum Support > Site Questions and Tech Support (NO FIREARMS QUESTIONS)

Reply
 
Thread Tools
Old March 28, 2009, 12:16 PM   #1
tyme
Staff
 
Join Date: October 13, 2001
Posts: 3,156
TFL and SSL ("invalid certificate" messages)

Recently we've gotten more than a few complaints about the SSL certificate in use at TFL.

As anyone can see, we created the current self-signed cert over two years ago, before the recent hysterical Firefox changes. The self-signed cert costs nothing and allows anyone to use SSL to access TFL, if they're worried about their boss/neighbor/whoever snooping. This use of SSL for non-sensitive purposes is not futile or stupid IMO. Furthermore, with proper diligence -- checking the certificate's hash, ideally from multiple locations and over time -- it is possible to achieve reasonable confidence in the legitimacy of a self-signed certificate.

I don't want to go into the details of Firefox's obnoxious behavior or the reasons for it here. (google "firefox self-signed certificates" for heated opinions on both sides of the argument). I will point out that MSIE 7, Google Chrome, and Opera all handle self-signed certificates in a much more reasonable way. There is a firefox extension that deals with self-signed SSL certificates in a more sane manner: Perspectives.

"So what?"

Google and perhaps some other search engines are indexing SSL versions of pages/urls at TFL. This causes some innocent visitors to get sucked into the https version of TFL, and if they're using Firefox, they get a scary warning and no easy way to get around it. That's very bad.

Disabling SSL might work in the long run, but short-term it will break every incoming https link, which I don't think is a good idea.

Free SSL certificates: Not viable as far as I can tell... Neither Firefox 3, nor Opera (10 beta), nor IE7 or IE8 come with startcom's class 1 cert signing key. I just got a cert for TFL and tested it, and since there's no significant difference in warning messages I'm leaving the current self-signed cert for the time being. At least this way people who have already accepted the cert don't have to accept a new one.

What might work: one of the email complaints recommended sending Googlebot a different robots.txt to deny access when it tries to use SSL. I've started doing that (for all bots, not just google). (after further review, some people seem to think that Google doesn't differentiate https://site/robots.txt from http://site/robots.txt, so denying all in https:// could remove all hits for the site from google.) TFL is also now redirecting every https googlebot request to the non-SSL version of whatever page it wanted. I don't know how this will affect search indexing, but since it only affects SSL pages, which aren't the majority of incoming links to TFL, I'm willing to experiment. Unfortunately, changes targeted at google's indexing take time to go into effect.

So... ideas? I'm not very familiar with search engines' behaviors, so I can only guess how googlebot et. al. will react.
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner)
“Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum)
“It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg)
tyme is offline  
Old March 28, 2009, 12:40 PM   #2
Mike Irwin
Staff
 
Join Date: April 13, 2000
Location: Northern Virginia
Posts: 35,891
This is the first I've heard about this.

I googled the "firefox self-signed certificates" and did some reading... VERY interesting stuff.

What kind of costs are involved with a third party certificate authenticator?

I'm using Firefox 3.0.7 and I have NOT encountered any of these certificate issues.
__________________
"The gift which I am sending you is called a dog, and is in fact the most precious and valuable possession of mankind" -Theodorus Gaza

Baby Jesus cries when the fat redneck doesn't have military-grade firepower.
Mike Irwin is offline  
Old March 28, 2009, 12:50 PM   #3
ChuckC
Member
 
Join Date: March 16, 2009
Location: Huntsville, AL
Posts: 62
Check your PMs tyme
ChuckC is offline  
Old March 28, 2009, 12:50 PM   #4
tyme
Staff
 
Join Date: October 13, 2001
Posts: 3,156
One of the cheaper ones is comodo instantssl I think... $99/yr for 1 year, down to $65/yr for a 5-year cert.

It's just asinine to pay for a cert for TFL when hardly anyone would use it. The whole SSL thing was supposed to be optional for people who know they want it, know what the security implications are, and know enough to check if TFL supports it... (as you point out, most people won't even know about it unless they try it or get hijacked into using it because of silly search indexes and/or silly people linking to tfl with https://).

Chuck, thanks for the input, but we don't want Googlebot to get confused. We just want it indexing http:// pages rather than https://
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner)
“Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum)
“It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg)
tyme is offline  
Old March 28, 2009, 01:17 PM   #5
Mike Irwin
Staff
 
Join Date: April 13, 2000
Location: Northern Virginia
Posts: 35,891
Is there any way to create an automatic redirect from https: to http: and just forego the certificate issue entirely?

Have we heard from any members who have been impacted by this?
__________________
"The gift which I am sending you is called a dog, and is in fact the most precious and valuable possession of mankind" -Theodorus Gaza

Baby Jesus cries when the fat redneck doesn't have military-grade firepower.
Mike Irwin is offline  
Old March 28, 2009, 01:36 PM   #6
tyme
Staff
 
Join Date: October 13, 2001
Posts: 3,156
No, we cannot automagically redirect https to http to get around the problem. The https:// page headers (at least) have to be sent in order to redirect to http://, and no browsers are stupid enough to load and act on any page headers/contents before the user decides what to do about the questionable certificate. It would be a major security problem.

If the certificate is accepted there's no longer any reason to redirect, and if it's rejected then the page never loads at all so there can be no redirect.

And yeah, there have been a handful who were confused/worried by the warning, and at least one who complained knowing what was going on.

I think I'm going to start redirecting all external links to the http:// site as well. It won't fix the warning (see first paragraph of this post), but maybe it will keep people from propagating https:// links, and thus reduce the number of them getting indexed.
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner)
“Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum)
“It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg)
tyme is offline  
Old March 28, 2009, 02:09 PM   #7
Mike Irwin
Staff
 
Join Date: April 13, 2000
Location: Northern Virginia
Posts: 35,891
Well that's a bummer.

I just forced this by typing in https and the TFL site name. Got the warning splash screen and worked my way through adding a permanent exception.

I think I understand Mozilla's reasons for doing this, as hinted at in the one splash screen... "Legitimate banks," and e-commerce sites. They're worried about someone getting into a malicious financial spoof site and having their account numbers and passwords harvested and or otherwise having their identity compromised.

We're not an e-commerce site so the risk of something like that happening is non-existent.

It would be nice if Firefox expanded their warnings for when something like this would and would not pose a serious risk.
__________________
"The gift which I am sending you is called a dog, and is in fact the most precious and valuable possession of mankind" -Theodorus Gaza

Baby Jesus cries when the fat redneck doesn't have military-grade firepower.
Mike Irwin is offline  
Old March 28, 2009, 09:20 PM   #8
JohnKSa
Staff
 
Join Date: February 12, 2001
Location: DFW Area
Posts: 18,283
I'm going to sticky this for awhile.
__________________
Did you know that there is a TEXAS State Rifle Association?
JohnKSa is offline  
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:55 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
This site and contents, including all posts, Copyright © 1998-2014 S.W.A.T. Magazine
Copyright Complaints: Please direct DMCA Takedown Notices to the registered agent: thefiringline.com
Contact Us
Page generated in 0.08272 seconds with 7 queries