Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: knarf; Jim Robinson; John Robinson; Sidebar Moderator

The problem is likely that FR’s using a compromised security certificate. A lot of sites got hit by this problem.

Additional details of the problem:
“secure.freerepublic.com uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED”

https://secure.freerepublic.com/donate/

The certificate was signed using a signature algorithm that is disabled because it is not secure.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false”

I deleted the certificate chain as it wasn’t needed.

This is related to the SHA-1 vulnerability; several years ago, the phaseout of that algorithm began, but it was only recently that it began being enforced by browsers like Chrome, Firefox, etc.

More info here: https://www.godaddy.com/garage/webpro/security/google-chrome-phasing-ssl-certs-using-sha-1/

Modern browsers like Chrome (since 2015) and now Firefox and others will by default now block (not just warn!) any SSL/security certificate that meets the following criteria:

1. The cert uses the SHA1 hashing algorithm

2. The cert expires on or after 2017-01-01

If both these are met, the site is blocked by default.

Need to go back to the authority issuing the certificate and get them to issue a new one.


7 posted on 03/03/2017 3:00:11 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 1 | View Replies ]

To: Spktyr

So even if I tried to donate, Firefox would black it anyway ?


8 posted on 03/03/2017 3:03:45 AM PST by knarf
[ Post Reply | Private Reply | To 7 | View Replies ]
To: knarf; Jim Robinson; John Robinson; Sidebar Moderator

Follow-up with more information - yes, SHA1 *has* been broken.

http://www.theverge.com/2017/2/23/14712118/google-sha1-collision-broken-web-encryption-shattered

“As a result, most sites have already dropped SHA-1. As recently as 2014 it was being used for as much as 90 percent of the encryption on the web, but it’s been mostly abandoned in the years since. As of January 1st, every major browser will show you a big red warning when you visit a site secured by SHA-1. It’s hard to say how many of those sites are left, but anyone with a halfway decent certificate provider is already safe.”


9 posted on 03/03/2017 3:04:47 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 7 | View Replies ]
To: Spktyr

As soon as I read the post immediately SHA-1 came to mind.


32 posted on 03/03/2017 8:56:05 AM PST by bar sin·is·ter
[ Post Reply | Private Reply | To 7 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson