Jump to content

 

Photo
- - - - -

Site problems.


  • Please log in to reply
25 replies to this topic

#11 Anonymiss

Anonymiss

    ♥ Maverick ♥

  • Respected User
  • PipPipPipPipPipPipPipPipPipPip
  • 7,022 posts
  • Thanks: 24322

Posted 02 July 2018 - 01:00 PM

True, so how do we cure the problem then, Missy :huh:

 
Currently, there's not a lot I can do.

But I already told you how to check that it's TGC and not a MITM... ;)
 

If you want to verify that it's really us and not an imposter then you can check that the certificate fingerprint is either A7:90:2E:08:83:E6:5F:E3:D5:BF:D0:08:09:A3:5E:B2:CB:09:E1:E8:C8:00:B2:58:53:DE:A2:A8:09:2E:18:6B (SHA256) or D4:25:08:2F:C2:A9:BF:E9:79:57:DA:12:77:B9:97:7E:CB:68:05:87 (SHA1)

 

So is it a site or browser problem? Surely TOR being all about security shouldn't mess up with SSL certificates

 
It doesn't mess with them - It simply doesn't recognise/include the CA that signs our certificate.

Why? I don't know - That would be something to take up with the Tor Browser developers.

We use Lets Encrypt to generate our free certs, and they're signed by Let's Encrypt Authority X3 and ultimately by DST Root CA X3

Importing these into the browser (Tools -> Options -> Advanced -> Certificates -> View Certificates -> Import) may provide a longer-term solution, as might 'permanently allowing' the exception (or whatever the exact wording is) when presented with the Warning dialog on connection.

The root CA and intermediate certs are attached below if you want to try it (they'll need unzipping first) :)

Attached Files


  • W.S and Horse Badorties like this

#12 MDS

MDS

    Internode Master...

  • Banned
  • PipPipPipPipPipPipPipPip
  • 2,529 posts
  • Thanks: 12479

Posted 02 July 2018 - 01:28 PM

You lost me.... I don't speak computer lingo :)

 

So why can't the site use some kind of certificate that TOR recognizes & that all these other browsers do too?

 

It seems to me you're telling me there's other types of SSL encryption, because when I bought from both Seedsman & Zamnesia recently, I was using TOR & their sites didn't need a security exception ;)

 

Why can't this site use the same type as they seem to be using? :)

 

That would solve all the problems, surely :D


  • W.S and Horse Badorties like this

#13 MDS

MDS

    Internode Master...

  • Banned
  • PipPipPipPipPipPipPipPip
  • 2,529 posts
  • Thanks: 12479

Posted 02 July 2018 - 01:42 PM

Well I downloaded that zip file & extracted the contents, two files...

 

Did what you suggested, one of the things was already on TOR, the other I imported & it asked me if I wanted to "trust" some XC3 something or other, I said yes...

 

Logged out, shut down TOR, started the browser & hey presto.... Nothing has changed... Still need to add a security exception :rolleyes:


  • W.S and Horse Badorties like this

#14 Anonymiss

Anonymiss

    ♥ Maverick ♥

  • Respected User
  • PipPipPipPipPipPipPipPipPipPip
  • 7,022 posts
  • Thanks: 24322

Posted 02 July 2018 - 01:45 PM

So why can't the site use some kind of certificate that TOR recognizes & that all these other browsers do too?

 
It does, albeit with one possible exception - We only use use SHA2 certificates which aren't compatible with some older platforms.

In the majority of cases though, what the browser doesn't recognise is the authority that signed the certificate (see the screenshot above - ERR_CERT_AUTHORITY_INVALID)
 

It seems to me you're telling me there's other types of SSL encryption, because when I bought from both Seedsman & Zamnesia recently, I was using TOR & their sites didn't need a security exception ;)

 
There is indeed more than on type of SSL encryption, but that's negotiated separately after the verification step.

This issue is one of verification, not encryption.
 

Why can't this site use the same type as they seem to be using? :)

 
It does.

And we do use a recognised authority which is included with most modern browsers (witness that the majority of people have no problems at all).

You'd have to ask the developers of the Tor Browser why they don't include that authority.

It's my impression, though, that many people use old versions of the Tor Browser, which may explain a lot.

Our certificates are known to be compatible with most implementations of...

Mozilla Firefox >= v2.0
Google Chrome
Internet Explorer on Windows XP SP3 and higher
Microsoft Edge
Android OS >= v2.3.6
Safari >= v4.0 on macOS
Safari on iOS >= v3.1
Debian Linux >= v6
Ubuntu Linux >= v12.04
NSS Library >= v3.11.9
Amazon FireOS (Silk Browser)
Cyanogen > v10
Jolla Sailfish OS > v1.1.2.16
Kindle > v3.4.1
Java 7 >= 7u111
Java 8 >= 8u101
Blackberry >= 10.3.3
PS4 game console with firmware >= 5.00

But they definitely won't work with...

Blackberry < v10.3.3
Android < v2.3.6
Nintendo 3DS
Windows XP prior to SP3 cannot handle SHA-2 signed certificates
Java 7 < 7u111
Java 8 < 8u101
Windows Live Mail (2012 mail client, not webmail) cannot handle certificates without a CRL
PS3 game console
PS4 game console with firmware < 5.00
  • Budgie, W.S, MDS and 1 other like this

#15 Anonymiss

Anonymiss

    ♥ Maverick ♥

  • Respected User
  • PipPipPipPipPipPipPipPipPipPip
  • 7,022 posts
  • Thanks: 24322

Posted 02 July 2018 - 01:47 PM

Logged out, shut down TOR, started the browser & hey presto.... Nothing has changed... Still need to add a security exception :rolleyes:

 
Yeah, it's likely that the Tor Browser deletes everything on shutdown - It may not even save them to disk in the first place :ph34r:
  • W.S, MDS and Horse Badorties like this

#16 MDS

MDS

    Internode Master...

  • Banned
  • PipPipPipPipPipPipPipPip
  • 2,529 posts
  • Thanks: 12479

Posted 02 July 2018 - 01:55 PM

Hmmmm, though it might be because I was using SP2 on Win XP, but I just checked & it's definitely SP3

 

Anyway here is what TOR showed me when I looked up the server certificate...

 

Attached File  TGC cert.jpg   25.47KB   0 downloads


  • W.S and Solo Quin like this

#17 Anonymiss

Anonymiss

    ♥ Maverick ♥

  • Respected User
  • PipPipPipPipPipPipPipPipPipPip
  • 7,022 posts
  • Thanks: 24322

Posted 02 July 2018 - 02:00 PM

Yep, you've got the cert (but probably because you allowed it).

You could check the Authorities tab to see if the CAs ("Digital Signature Trust Co." -> "Let's Encrypt Authority X3" and "DST Root CA X3") are there.
  • W.S, Solo Quin and MDS like this

#18 MDS

MDS

    Internode Master...

  • Banned
  • PipPipPipPipPipPipPipPip
  • 2,529 posts
  • Thanks: 12479

Posted 02 July 2018 - 02:22 PM

Attached File  DST.jpg   42KB   0 downloads

 

It would appear so...

 

But maybe not the first one...

 

 


  • W.S and Solo Quin like this

#19 Anonymiss

Anonymiss

    ♥ Maverick ♥

  • Respected User
  • PipPipPipPipPipPipPipPipPipPip
  • 7,022 posts
  • Thanks: 24322

Posted 02 July 2018 - 02:36 PM

Importing the Let's Encrypt certificate into the Authorities list may work, but I suspect that it will be deleted on shutdown.

What happens if you 'permanently allow' the TGC certificate when making the initial exception? If that still disappears between sessions then it's likely that the Authority will too.
  • W.S and Solo Quin like this

#20 MDS

MDS

    Internode Master...

  • Banned
  • PipPipPipPipPipPipPipPip
  • 2,529 posts
  • Thanks: 12479

Posted 02 July 2018 - 02:57 PM

Importing the Let's Encrypt certificate into the Authorities list may work, but I suspect that it will be deleted on shutdown.

What happens if you 'permanently allow' the TGC certificate when making the initial exception? If that still disappears between sessions then it's likely that the Authority will too.

 

It won't allow me to make a permanent exception, the box isn't highlighted to tick...

 

Attached File  TGC E.jpg   46.77KB   0 downloads

 

As I say I tried importing those certificates to TOR browser earlier, it accepted one, but said the other was already there... When it accepted the one it didn't have it asked me if I wanted to trust that thing for this site, I clicked "yes"...
 


  • W.S likes this


IPB Skin By Virt
Disclaimer: You must be over 18 years old to view/use this website. T-G-C.nl does not encourage growing cannabis or possessing cannabis, Learning how to grow cannabis is purely for educational purposes. All information on this website is strictly for: Historical reference, Scientific reference and educational purposes. Please check the laws in your own country as T-G-C.nl is in no way responsible for repercussions of accessing the website. All information is stored on a secure server in Amsterdam. We advise all visitors against breaking the law.