Certificate conflict on http - linux

I recently got a hosting provider from US to host one of my websites. Everything is good besides the fact that when I first tested my website from my phone and tablet I got some strange warnings.
//Website format:
http://www.mywebsite.com
On the phone I got this alert:
Service www.mywebsite.com sent a certificate with a different name than the one you asked for. Accept like this?
And the detail descriptions:
WebSite:
www.mywebsite.com
Issuer:
AlphaSSL CA - SHA256 - G2
GlobalSign nv-sa, BE
Subject:
*.fcomet.com, Domain Control
Validated, fcomet.com
Key utilisation:
undefined
Valability from 08.09.2015 to 08.09.2016
Certificate format:
X.509
Algoritm:
SHA2RSA
Serial number:
//some long code here
Digital sign SHA1
//some long code here
Digital sign MD5
//some long code here
On the tablet I did not get all the message but it was something with a certificate also and some aditional text which I noted:
google-analytics.com
Google Inc
Serial number:
//some serial number here
Sent by:
Google Internet Authority G2
Google Inc
Valid from 13.07.2016 to 05.10.2016
What bothers me is that I can not reproduce this "bug" again. On my phone I pressed accept only this time but even if I enter the website again I don't get that message anymore (in order to send a screenshot to the hosting provider because he sais that I should not get this error at all). I even cleaned the cache from my mobile devices and also from my website because I use a Wordpress and I cleaned the cache from Nginx Cache, WP Super Cache and Autoptimize.
What I suspect is that the hosting provider try to make some redirects to https or something like that, I can't explain.
If I try to enter on my website using https I get this message:
Your connection is not secure
The owner of www.mywebsite.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
If I press Advanced button I get some detalis:
www.mywebsite.com usses an incorect security certificate
The certificate is valid only for this names:
*.fcomet.com, fcomet.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
If I add and confirm the exception I will be redirected successful to https://www.mywebsite.com, a blank page with this text Index of /. This seem strange because on any other website I enter and try to change the http protocol to https I won't be alowed to access the website with https protocol.
I also tried to test my website here and here but it does not work, I get a white page. If I test with any other website, I get the website content. Mabey this will help you to understand what is the problem.
Does somebody have any ideea what is the problem here and how can I solve this? Thanks

Related

How do I add a legitimate common name to an openssl certificate

I'm running a Node.js server for my college final year project. It's running on my local machine and I'm accessing it via the machine's private IP address. The application needs to record a short snippet of audio and send it back to the server, which will then send back a result based on the content of the audio file. Because the browser needs access to the microphone, it has to be HTTPS, even though I am not dealing with any sensitive information or even opening it to the internet. I just need to show it working at a demonstration, which I can do on a local network.
After hours of trial and error I managed to modify my current application to use HTTPS using a self signed certificate as described here. I can now access the web page over HTTPS (albeit with a huge red "This page is not actually secure" warning that I have to accept first) and chrome will grant me access to the microphone. However, when I click the button that sends a post request with the audio, chrome gives me either
POST https://192.168.178.30:8443/notes net::ERR_CERT_AUTHORITY_INVALID
or
POST https://192.168.178.30:8443/notes net::ERR_CERT_COMMON_NAME_INVALID
I have installed the cert as a trusted root certificate as outlined here.
I set the common name on the cert as the IP address (192.168.178.30) but chrome still won't accept it, and I don't have a domain name (it's running locally).
So my question is: how do I either make a trustworthy OpenSLL certificate, or force chrome to ignore such errors. I have a day to get this working along with other aspects of the application so I ned a quick fix. This is for the purpose of a demonstration, it is not going live to the internet.

SSL certificate for azure cloudapp.net

I know that this question was asked many times but I couldn`t make it work with answers I found on web.
My goal is to make https://my.cloudapp.net to work. So solution for this, is to buy domain and certificate and make this domain point/redirect to my https://my.cloudapp.net. I bought lets say www.example.pl. Downloaded certificate from https://example.pl. Assigned certificate to https://my.cloudapp.net using IIS.
When I visit https://example.pl certificate itself is fine but firefox shows me error:
my.cloudapp.net uses an invalid security certificate. The certificate is only valid for the following names: example.pl, www.example.pl Error code: SSL_ERROR_BAD_CERT_DOMAIN
What I`m doing wrong?
Edit Solution:
I called microsoft support and resolved the issue. The issue was on my domain provider side. My domain example.pl had forwarding wildcard *.example.pl to go to example.pl. Thats why when I made another forwarding from app.example.pl to my cloudapp it went straight to example.pl. Removed the wildcard and it started to working fine.
I attempt to visit the website https://example.pl, it works fine with IE edge or chrome explorer. Also i do a test over at the Qualys SSL Labs to check your certificate. It shows me Incorrect certificate because this client doesn't support SNI and indicate thatThis site works only in browsers with SNI support. It is the browser issue. So you could try another explorer.
You can from here to get more details.

Is it possible for a hacker to make a website clone with HTTPS?

I've seen this question around here on the forums only what I wish to know slightly differs from the ones I already read I suppose.
I will give you an example of the problem I am facing:
Let's say a hacker has managed to infiltrate the system and is able to spoof a DNS. Now if this hacker would clone a website, let's say this website is facebook, what I have read so far he would be making a HTTP website, because HTTPS would show up as faulty.
Now what I'm wondering is that with modern SSL it would seem like everyone is able to get his own certificate for his website. So if someone would connect to that website it would say the connection is trusted because it's SSL with a legit connection.
So what if this hacker would add a certificate to his cloned/spoofed phishing website? Wouldn't this mean that me as a user would go to his facebook page, and in the search bar it would say the connection is legitimate ( Because he added a certificate ) ? Because if that would be the point it would be necessary to check the certificate of every website I open at all times to see if it's actually the certificate that belongs to facebook (For example.)
Please let me know if anyone has any knowledge about this I am very curious to see how this works!
Provided that
Let's say a hacker has managed to infiltrate the system and is able to
spoof a DNS.
means that the attacker has control over the records for the name facebook.com (in orther words, he can point www.facebook.com to an IP of his choice) then yes, your scenario is correct.
He would
redirect www.facebook.com to site of his
buy a certificate for www.facebook.com
Someone going to that site would then see (www.facebook.com would be the domain)
This means that the traffic to access to this site is correctly secured between the browser and that site, and nothing else. Specifically, this does not tell if the site actually belongs to Facebook.
There are some sites which go one step further, with Extended Validation Certificates, where the issuer does some checks to "ensure" that the certificate is delivered to the actual owner of the service. You the see something like
As you can see, the owner of the site is visible right on the toolbar. Other browsers usually use a bright green toolbar to signal such sites.
Not sure if that is what you're asking, but you have trusted CAs imported to your browser (by default).
The attacker would need to have a key signed by trusted authority for this particular domain. I do not expect that to happen.
Another option would be breaking the key - very unlikely with current technology/regular updates made by major browser providers.
Major browsers providers are deprecating vunerable alghorighms to make sure you're OK.
For instance - Recently for that reason SHA1 got depreceated.
See here for more details on SHA1:
https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#pjXdGbOji3itBI7v.97
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
https://www.google.com.au/search?q=firefox+sha1+deprecation&rlz=1C5CHFA_enAU714AU715&oq=firefox+sha1&aqs=chrome.1.69i57j0l5.2293j0j4&sourceid=chrome&ie=UTF-8
)
To summarize - your browser will let you know that there is 'something wrong' with the site (warning instead of green box).
Simply check the green box (and domain). Keep your browser updated.
Also for more information about SSL handshake see here: https://www.ssl.com/article/ssl-tls-handshake-overview/

Can fiddler access local machine data?

One of customers have reported that they can see the password being transferred as clear text, they probably tried tool like a fiddler to capture the HTTP request/response. So my question is is it possible using fiddler or any other tool is it possible for someone to monitor the http traffic on that local computer at the moment the user entered the password and clicked to login ?
If the user is accessing the website without using SSL (i.e. by going to "http://" instead of "https://"), then it is possible to see all of the traffic between the website and the browser, and not only on the local computer but also on the network that the computer is connected to.
If the user is accessing the website via HTTPS, Fiddler is able to act as a proxy and decrypt the traffic between the browser and the server by using a special SSL certificate (thanks to #user18044 for clarification in the comments below).
In your case Fiddler is NOT accessing browser memory directly to get to the password in clear text.

Error `sec_error_revoked_certificate` when viewed in Firefox only

I have an SSL certificate that does not inhibit the loading of a client's site when viewed in Chrome, Safari, or Android Browser. Unfortunately, when viewed in Firefox, I encounter the following error message:
An error occurred during a connection to www.rzim.org.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
My only "lead" online was concerning intermediate certificates. Any thoughts are greatly appreciated. Thanks!
When Firefox web browser checks a security certificate, it also checks with the issuing authority if the certificate is valid. It appears that, near a certificate’s expiration date, the issuing authority may release a new certificate. The two certificates have conflicting expiration dates.
For reasons unknown, this caused Firefox to report a sec_error_revoked_certificate error and refuse to allow you to connect to the site!
You can go through the following steps, but it will reduce the security.
Firefox main menu -> edit ->Preferences
click on Advanced Tab
select certificates
click on validation
Uncheck the option "Use the Online Certificate status
protocol(OCSP).........."
Click OK button
Now you can see the page with out error.
The instructions provided in the answer by Arjun KP don't work for more recent versions of Firefox (tested on v. 57.0.1). Instead, here's what I did:
Enter about:config in the address bar, accepting the risk if prompted.
Enter security.OCSP.enabled in the search bar.
Change the value of that setting from 1 to 0.
Reload the page that failed.
After doing this, my site started working.
However, as Arjun mentioned, this will reduce the security of Firefox, since it disables the Online Certificate Status Protocol. Ideally, you should reset the setting to 1 after you finish with that site, and not load other pages while it is set to 0.
An update to ARJUN KP's answer, which works with Firefox Quantum, v68:
Open Firefox options
Privacy & Security
At the bottom, under Certificates, uncheck: "Query OCSP responder servers to confirm the current validity of certificate
If you have this problem you can check if the cause is a negative OSCP server response. In my case the website has a new valid certificate but the OSCP server is not updated and Firefox refuses to show the page. The OSCP server still says that certificate is revoked.
Here you can check any URL:
https://certificatetools.com/ocsp-checker
Haven't yet been able to find the elusive "Advanced" button though I've been to numerous forums and it is referred to often. The solution here didn't work because the "Use the online certificate protocol" doesn't exist under Preferences>Security>Certificates. QUERY OCSP responder exists and I unchecked that.

Resources