I have an SSL certificate that does not inhibit the loading of a client's site when viewed in Chrome, Safari, or Android Browser. Unfortunately, when viewed in Firefox, I encounter the following error message:
An error occurred during a connection to www.rzim.org.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
My only "lead" online was concerning intermediate certificates. Any thoughts are greatly appreciated. Thanks!
When Firefox web browser checks a security certificate, it also checks with the issuing authority if the certificate is valid. It appears that, near a certificate’s expiration date, the issuing authority may release a new certificate. The two certificates have conflicting expiration dates.
For reasons unknown, this caused Firefox to report a sec_error_revoked_certificate error and refuse to allow you to connect to the site!
You can go through the following steps, but it will reduce the security.
Firefox main menu -> edit ->Preferences
click on Advanced Tab
select certificates
click on validation
Uncheck the option "Use the Online Certificate status
protocol(OCSP).........."
Click OK button
Now you can see the page with out error.
The instructions provided in the answer by Arjun KP don't work for more recent versions of Firefox (tested on v. 57.0.1). Instead, here's what I did:
Enter about:config in the address bar, accepting the risk if prompted.
Enter security.OCSP.enabled in the search bar.
Change the value of that setting from 1 to 0.
Reload the page that failed.
After doing this, my site started working.
However, as Arjun mentioned, this will reduce the security of Firefox, since it disables the Online Certificate Status Protocol. Ideally, you should reset the setting to 1 after you finish with that site, and not load other pages while it is set to 0.
An update to ARJUN KP's answer, which works with Firefox Quantum, v68:
Open Firefox options
Privacy & Security
At the bottom, under Certificates, uncheck: "Query OCSP responder servers to confirm the current validity of certificate
If you have this problem you can check if the cause is a negative OSCP server response. In my case the website has a new valid certificate but the OSCP server is not updated and Firefox refuses to show the page. The OSCP server still says that certificate is revoked.
Here you can check any URL:
https://certificatetools.com/ocsp-checker
Haven't yet been able to find the elusive "Advanced" button though I've been to numerous forums and it is referred to often. The solution here didn't work because the "Use the online certificate protocol" doesn't exist under Preferences>Security>Certificates. QUERY OCSP responder exists and I unchecked that.
Related
I know that this question was asked many times but I couldn`t make it work with answers I found on web.
My goal is to make https://my.cloudapp.net to work. So solution for this, is to buy domain and certificate and make this domain point/redirect to my https://my.cloudapp.net. I bought lets say www.example.pl. Downloaded certificate from https://example.pl. Assigned certificate to https://my.cloudapp.net using IIS.
When I visit https://example.pl certificate itself is fine but firefox shows me error:
my.cloudapp.net uses an invalid security certificate. The certificate is only valid for the following names: example.pl, www.example.pl Error code: SSL_ERROR_BAD_CERT_DOMAIN
What I`m doing wrong?
Edit Solution:
I called microsoft support and resolved the issue. The issue was on my domain provider side. My domain example.pl had forwarding wildcard *.example.pl to go to example.pl. Thats why when I made another forwarding from app.example.pl to my cloudapp it went straight to example.pl. Removed the wildcard and it started to working fine.
I attempt to visit the website https://example.pl, it works fine with IE edge or chrome explorer. Also i do a test over at the Qualys SSL Labs to check your certificate. It shows me Incorrect certificate because this client doesn't support SNI and indicate thatThis site works only in browsers with SNI support. It is the browser issue. So you could try another explorer.
You can from here to get more details.
I saw this :
Some site info appears. I use https and i only see "secure" on this place. How do they do this?
Certificates with extended verification.
These are the most expensive certificates and get them the hardest. In such certificates there is a so-called "green bar" - that is, at the entrance is not a site where such a certificate is installed in the address bar of the visitor's browser, a green line appears in which the name of the organization that received the certificate will be indicated.
Unfortunately, I seems that is a feature of specific browsers. It would seem that you have no control over the content.
I've seen this question around here on the forums only what I wish to know slightly differs from the ones I already read I suppose.
I will give you an example of the problem I am facing:
Let's say a hacker has managed to infiltrate the system and is able to spoof a DNS. Now if this hacker would clone a website, let's say this website is facebook, what I have read so far he would be making a HTTP website, because HTTPS would show up as faulty.
Now what I'm wondering is that with modern SSL it would seem like everyone is able to get his own certificate for his website. So if someone would connect to that website it would say the connection is trusted because it's SSL with a legit connection.
So what if this hacker would add a certificate to his cloned/spoofed phishing website? Wouldn't this mean that me as a user would go to his facebook page, and in the search bar it would say the connection is legitimate ( Because he added a certificate ) ? Because if that would be the point it would be necessary to check the certificate of every website I open at all times to see if it's actually the certificate that belongs to facebook (For example.)
Please let me know if anyone has any knowledge about this I am very curious to see how this works!
Provided that
Let's say a hacker has managed to infiltrate the system and is able to
spoof a DNS.
means that the attacker has control over the records for the name facebook.com (in orther words, he can point www.facebook.com to an IP of his choice) then yes, your scenario is correct.
He would
redirect www.facebook.com to site of his
buy a certificate for www.facebook.com
Someone going to that site would then see (www.facebook.com would be the domain)
This means that the traffic to access to this site is correctly secured between the browser and that site, and nothing else. Specifically, this does not tell if the site actually belongs to Facebook.
There are some sites which go one step further, with Extended Validation Certificates, where the issuer does some checks to "ensure" that the certificate is delivered to the actual owner of the service. You the see something like
As you can see, the owner of the site is visible right on the toolbar. Other browsers usually use a bright green toolbar to signal such sites.
Not sure if that is what you're asking, but you have trusted CAs imported to your browser (by default).
The attacker would need to have a key signed by trusted authority for this particular domain. I do not expect that to happen.
Another option would be breaking the key - very unlikely with current technology/regular updates made by major browser providers.
Major browsers providers are deprecating vunerable alghorighms to make sure you're OK.
For instance - Recently for that reason SHA1 got depreceated.
See here for more details on SHA1:
https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#pjXdGbOji3itBI7v.97
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
https://www.google.com.au/search?q=firefox+sha1+deprecation&rlz=1C5CHFA_enAU714AU715&oq=firefox+sha1&aqs=chrome.1.69i57j0l5.2293j0j4&sourceid=chrome&ie=UTF-8
)
To summarize - your browser will let you know that there is 'something wrong' with the site (warning instead of green box).
Simply check the green box (and domain). Keep your browser updated.
Also for more information about SSL handshake see here: https://www.ssl.com/article/ssl-tls-handshake-overview/
I recently got a hosting provider from US to host one of my websites. Everything is good besides the fact that when I first tested my website from my phone and tablet I got some strange warnings.
//Website format:
http://www.mywebsite.com
On the phone I got this alert:
Service www.mywebsite.com sent a certificate with a different name than the one you asked for. Accept like this?
And the detail descriptions:
WebSite:
www.mywebsite.com
Issuer:
AlphaSSL CA - SHA256 - G2
GlobalSign nv-sa, BE
Subject:
*.fcomet.com, Domain Control
Validated, fcomet.com
Key utilisation:
undefined
Valability from 08.09.2015 to 08.09.2016
Certificate format:
X.509
Algoritm:
SHA2RSA
Serial number:
//some long code here
Digital sign SHA1
//some long code here
Digital sign MD5
//some long code here
On the tablet I did not get all the message but it was something with a certificate also and some aditional text which I noted:
google-analytics.com
Google Inc
Serial number:
//some serial number here
Sent by:
Google Internet Authority G2
Google Inc
Valid from 13.07.2016 to 05.10.2016
What bothers me is that I can not reproduce this "bug" again. On my phone I pressed accept only this time but even if I enter the website again I don't get that message anymore (in order to send a screenshot to the hosting provider because he sais that I should not get this error at all). I even cleaned the cache from my mobile devices and also from my website because I use a Wordpress and I cleaned the cache from Nginx Cache, WP Super Cache and Autoptimize.
What I suspect is that the hosting provider try to make some redirects to https or something like that, I can't explain.
If I try to enter on my website using https I get this message:
Your connection is not secure
The owner of www.mywebsite.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
If I press Advanced button I get some detalis:
www.mywebsite.com usses an incorect security certificate
The certificate is valid only for this names:
*.fcomet.com, fcomet.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
If I add and confirm the exception I will be redirected successful to https://www.mywebsite.com, a blank page with this text Index of /. This seem strange because on any other website I enter and try to change the http protocol to https I won't be alowed to access the website with https protocol.
I also tried to test my website here and here but it does not work, I get a white page. If I test with any other website, I get the website content. Mabey this will help you to understand what is the problem.
Does somebody have any ideea what is the problem here and how can I solve this? Thanks
A website my company develops has a security certificate error in IE(8)
It can be found here: www.fonq.nl
Anyone having similar problems and a solution?
Google Certificate issue
Certificate error message at the bottom of the screen:
"Internet Explorer blocked this website from displaying content with security certificate errors"
The error message appears when accessing Google (Gmail, Google Calendar, Google browser)
The error message only appears in Internet Explorer 10 --- not with Firefox, Safari, Netscape
Note: "www.google.com" appears at the bottom of the "Untrusted Publishers" list (Tools-Internet Options-Content-Certificates-Untrusted Publishers) and cannot be edited or removed. The intended purpose of this certificate is for server and client authentication.
Measures I have already taken to eliminate the message, but without success:
1. Re-set the date and time (5 times)
2. Ran a full system scan w/ Microsoft Security Essentials (twice)
3. Ran a full system scan with Ace Utilities [including registry clean] (3 times)
4. Removed and reinstalled Internet Explorer (twice)
5. Disabled all add-ons and extensions
6. Placed Google URLs in the list of "trusted sites" (Tools-Internet Options-Security-Trusted Sites)
7. Unchecked (Tools-Internet Options-Advanced-Security) "Check for Publishers' Certificate Revocation"
8. Unchecked (Tools-Internet Options-Advanced-Security) "Check for Server Certificate Revocation"
9. Unchecked (Tools-Internet Options-Advanced-Security) "Check for Signatures on Downloaded Programs"
What finally worked: Unchecked (Tools-Internet Options-Advanced-Security) "Warn about certificate address mismatch*"