Sciencemadness Discussion Board - certificate err. - Powered by XMB 1.9.11 (Debug Mode)

certificate err.

mfilip62 - 30-6-2010 at 06:39

In last few days when I try to acces forum or any thread there is annoying;

"There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. "

IS this just me or!?

pantone159 - 30-6-2010 at 06:55

I get similar messages to this, for a long time. It seems most common when I follow a link in one post to another thread. It does sound a bit alarming, but I don't think there is anything to be concerned about.

quicksilver - 30-6-2010 at 07:07

Certain antispyware, malware programs, browser plug-ins, etc look for a "security certificate" (this also can range in it's meaning in anti-piracy context but not in this case however). Frequently you'll get a pop-up like that if a new spyware update database looks for "certified websites" in context. It's really not a big deal. It actually _often_ happens with privately held web sites but there are many origins for it.

Nicodem - 30-6-2010 at 07:11

You get that message because you are trying to access the forum using the HTTPS protocol (URL starting with https://...). It is perfectly normal that the web browser asks you to confirm the validity of the forum certificate and you should just confirm it (each browser has a different way to do this, for example, in IE you just click Yes when asked "Do you want to proceed?"). If you are accustomed browsing the forum using only HTTP protocol, then you probably never bothered installing the certificate and this is why each time you click on a link using HTTPS you will get that message. If it annoys you then just choose to install the certificate permanently and it will stop nagging you.

quicksilver - 30-6-2010 at 07:35

I forgot something else...
I don't stay to up on Bill Gate's new fun house but I also believe there is a method within Windoz (or their wonder-browser) for discerning which sites are "certified" or some such. In any even, it's not something to worry about in this site particularly.

Mr. Wizard - 30-6-2010 at 11:18

Go to the home site at:
https://www.sciencemadness.org/
Then log in with the choice second from the top that says Forum (http). The third one down gives you the site security message. You may have to change your favorites or bookmarks if you have selected the secure (https) as the log on site. I had the same problem or question myself until I noticed what I had done.

woelen - 30-6-2010 at 11:24

Quote: Originally posted by Nicodem

You get that message because you are trying to access the forum using the HTTPS protocol (URL starting with https://...). It is perfectly normal that the web browser asks you to confirm the validity of the forum certificate and you should just confirm it (each browser has a different way to do this, for example, in IE you just click Yes when asked "Do you want to proceed?"). If you are accustomed browsing the forum using only HTTP protocol, then you probably never bothered installing the certificate and this is why each time you click on a link using HTTPS you will get that message. If it annoys you then just choose to install the certificate permanently and it will stop nagging you.

This is just a workaround. A true solution is to ask a certificate from a certificate authority and have a certificate chain which ends at one of the well-known root certifcates (e.g. Verisign). I understand that you don't have this, because obtaining a certificate from one of the well-known CA's is very expensive.
If you use https with sciencemadness, then you only have the benefit of encrypted communication between your browser and the webserver. You do not have the benefit of identity confirmation. A spoofing site with the name https://www.sciencemаdness.org could pretend to be the true https://www.sciencemadness.org site without you noticing this. The domainname sciencemаdness.org is not registered but someone malicious could do that and make a login page which looks exactly like the true sciencemadness.org and obtain info from members.

[Edited on 30-6-10 by woelen]

psychokinetic - 30-6-2010 at 12:52

Firefox asks me if I trust ScienceMadness if I've deleted all my security exceptions. I'm sure most browsers will let you bypass it, as it's just a security measure to stop actually bad sites from raping your computer.

(By raping, I mean what woelen has just said about fake login screens. This is how bank and farcebook users get done over)

turd - 1-7-2010 at 03:26

Quote: Originally posted by woelen

If you use https with sciencemadness, then you only have the benefit of encrypted communication between your browser and the webserver. You do not have the benefit of identity confirmation. A spoofing site with the name https://www.sciencemаdness.org could pretend to be the true https://www.sciencemadness.org site without you noticing this. The domainname sciencemаdness.org is not registered but someone malicious could do that and make a login page which looks exactly like the true sciencemadness.org and obtain info from members.

Nice one. Unicode 0x0430, cyrillic a (http://www.unicodemap.org/details/0x0430/index.html).
But how does this help? The imposter could simply buy a certificate for the sciencem-cyrillica-dness.org site. This looks more like a browser issue - the browser should show you clearly that the domain name is a mix of latin and cyrillic. Or do you suggest that the certificate authorities have higher standards than the domain registrars and would deny such a certificate?

I was under impression that the point of signed certificates is to prevent man-in-the-middle attacks, not domain imposters. And I wonder how good it works. Certain governments probably have good ties to the certificate authorities, so I wonder if they can get the necessary private keys?

Eliteforum - 16-8-2010 at 09:34

I've had this problem, usually after my CMOS battery has died/dying. It sometimes happens when the date/time is not correct. Simply putting the clock to the right date/time fixes it.

woelen - 16-8-2010 at 22:43

Quote: Originally posted by turd

Quote: Originally posted by woelen

The well-known authorities which can issue certificates, which are part of a known chain (e.g. end at roots like Verisign or a national agency), require some form of ID of the person who requests a certificate. Besides that, certificates like this have a high price. I'm quite sure that all known certificate authorities would reject a request for a certificate for this type of domainname. A self-signed certificate leads to a browser error, because that does not have a chain which ends at a well known authority.

If an organisation wants even more security, then it can require the use of two-sided certificate checking. With sciencemadness.org, there only is checking of the identity of the server by the client, but things can be set up such that the server also checks the identity of the client. The client in that case needs to provide a certificate each time when it connects to the server. The organisation then gives a certificate file to the client (usually by other means than the connection itself) and the ownership of this certificate then is checked by the server before allowing further communication.

@Eliteforum: What has your CMOS setup to do with certificates of sciencemadness.org? I see no relation between these subjects.

[Edited on 17-8-10 by woelen]