*VANITY* I was hacked and I'm no longer secure on FR *VANITY*

self ^ | March 3, 2017 | knarf

[Carthego delenda est]

A similar (same) issue was brought up yesterday on a Freepathon thread, and Jim had a reply:

http://freerepublic.com/focus/f-news/3530673/posts?page=7#7

[MarkL]

The warning that Chrome has is with the certificate type the FR is using. Certificates are used for many different reasons in computing, but in this case, the certificate provides “proof” of the identity of the system, as well as encryption of the data (2 different but related functions.)

FR is still using a SHA-1 certificate, while the “current,” certificate type is SHA-2. It has to do with the length of the key, as well as the encryption algorithms used. In simplest terms, these define the “strength” of security, or theoretically how difficult it is to “break” the security.

Normally, it is just theoretical, however just over a week ago, the first “SHA-1 Collision” was demonstrated - Certificates can be used to prove that a document has not been tampered with, using a check-sum. But just recently, two different files were demonstrated to have the same checksum using SHA-1 certificates.

Using a SHA-1 secured web site does NOT neccessarily put your financial data in jeopardy, but it does go against “best practices.” Microsoft has repeatedly pushed back the dates over the years that they would no longer support SHA-1 certificates. Google (with Chrome) no longer supports it, and throws the warning.

Some systems are a breeze to upgrade, others require a complete re-write of the system, and I’m guessing that since FR isn’t using SHA-2, that they’re in the later camp. I’m sure that JimRob and his crew are working hard to upgrade the system.

Again, this warning DOES NOT MEAN your information is necessarily vulnerable! It just means that it’s not currently at “best practices” level.

Here’s a description of the topic, if you’re interested.

https://www.lifewire.com/what-is-sha-1-2626011

Mark

[mollynme]

I’m getting the same error with the Silk browser (Amazon Kindle.)

[redfreedom]

What a pleasant wake-me-up.

[knarf]

OK .. I just overode the warning, hit advanced, and input my data

After it was all done, I hit continue and the page just sat there.

I hit continue a half a dozen times playing the double tap game and it just sat there ... I returned here via history.

JR ... did I come through or am I in never never land ?

[SkyDancer]

I’ve gotten blocked from FR by Firefox on different computers saying the site is unsafe and to hit the “Get Me Out Of Here” button.

[SkyDancer]

PS: Someone once told me it had to do with certificates or something on FF tools menu somewhere.

[deport]

JR ... did I come through or am I in never never land ?

****************

You may have come through a half a dozen times.
You may be paid up for the next six months.

[TomGuy]

Notice that the URL for FR Donate is: https://secure.freerepublic.com/donate/

Note that is HTTPS://

The S indicates that the link is secure — established between your browser and the recipient webpage.

Depending on your browser, in the address bar you should see some kind of indicator that the website is secure. Mine [Comodo IceDragon — a Firefox/Mozilla based browser] shows a green padlock. Some show the entire address in different color. Some show a locked padlock in the information bar.

Opera showed a certificate problem.

==

You might consider installing the add-on HTTPS ://EVERYWHERE. It automatically tries to connect your browser to other websites via the HTTPS secure, if the website does have an HTTPS website version.

https://www.eff.org/https-everywhere

HTTPS ://EVERYWHERE is available for Firefox and related Mozilla browsers, Crome, Opera, and Firefox for Android.

It is just another tool to try to help make websurfing a bit safer.

[SisterK]

No problem here. I am annoyingly secure and do not use Chrome or Firefox.

[DoughtyOne]

I would simply remind folks we’re nearing the end of the FReepathon.

If there were serious security threats, we would have FReepers reporting them after over two months of donating through the FR Donation Site.

I’m not sure what is happening with you, but I trust the FR site.

[bar sin·is·ter]

As soon as I read the post immediately SHA-1 came to mind.

[Mears]

Mail a check.

[Jim Robinson]

Yes, the problem is that Google, and now possibly Firefox, are “deprecating” their support for SHA-1 certificates:

https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html

John will eventually install a new certificate after he works out a couple other pressing issues, meanwhile, our SHA-1 certificate is current and is still valid (despite Google’s warning message) and our secure server continues to encrypt our transactions as before.

As you’ve already learned, you can click “Advanced” at the bottom of the warning message and override the message.

Or you can try a browser like Edge (default browser delivered with windows 10) and it works fine without the warning message.

Thank you very much.

[Jim Robinson]

When this happens, there is usually an error in the data and an error message like “Invalid address” meaning something in the name and address entered does not match the name and address the credit card company has on your account. Or it could be a missing phone number. Thanks again. Sorry you’re having all these problems.

[Spktyr]

Jim, after the news that Google cracked SHA-1 wide open on February 23, 2017, even Edge is about to be updated to restrict SHA-1 certificates. I believe this patch is due out next Patch Tuesday, the 14th.

The certificate may still technically be valid, but very shortly no current browser will honor it without manual intervention, assuming it allows access at all.

[Spktyr]

That will not work with FR’s current certificate - or rather will not solve the problem.

[Spktyr]

Google cracked SHA1 wide open and announced it on Feb 23 of this year. The attack would take a solo attacker with just one consumer machine 110 years, but a typical hacker botnet of just ~40k zombie machines can crack it in about a day.

[Jim Robinson]

Cracked wide open, eh. Yeah I read that too. Well, like I said, John will be updating the certificate as soon as he can.

[Spktyr]

Microsoft is now belatedly saying that they’re going to fix their SHA support issue next Patch Tuesday.

Also, the demonstrated vulnerability in SHA1 isn’t just a matter of document security but it also allows “man in the middle” type attacks. Given how many liberal techies over on DU hate us...