Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

*VANITY* I was hacked and I'm no longer secure on FR *VANITY*
self ^ | March 3, 2017 | knarf

Posted on 03/03/2017 2:32:11 AM PST by knarf

A couple of months ago, my card was hacked, not my account, so I waited for a new one to re-submit my FR donation.


TOPICS: Crime/Corruption; Culture/Society; Unclassified; Your Opinion/Questions
KEYWORDS: cybersecurity; donate; ecommerce; faq; hacking
Navigation: use the links below to view more comments.
first previous 1-2021-4041-53 next last
To: knarf

A similar (same) issue was brought up yesterday on a Freepathon thread, and Jim had a reply:

http://freerepublic.com/focus/f-news/3530673/posts?page=7#7


21 posted on 03/03/2017 5:08:02 AM PST by Carthego delenda est
[ Post Reply | Private Reply | To 1 | View Replies]

To: knarf

The warning that Chrome has is with the certificate type the FR is using. Certificates are used for many different reasons in computing, but in this case, the certificate provides “proof” of the identity of the system, as well as encryption of the data (2 different but related functions.)

FR is still using a SHA-1 certificate, while the “current,” certificate type is SHA-2. It has to do with the length of the key, as well as the encryption algorithms used. In simplest terms, these define the “strength” of security, or theoretically how difficult it is to “break” the security.

Normally, it is just theoretical, however just over a week ago, the first “SHA-1 Collision” was demonstrated - Certificates can be used to prove that a document has not been tampered with, using a check-sum. But just recently, two different files were demonstrated to have the same checksum using SHA-1 certificates.

Using a SHA-1 secured web site does NOT neccessarily put your financial data in jeopardy, but it does go against “best practices.” Microsoft has repeatedly pushed back the dates over the years that they would no longer support SHA-1 certificates. Google (with Chrome) no longer supports it, and throws the warning.

Some systems are a breeze to upgrade, others require a complete re-write of the system, and I’m guessing that since FR isn’t using SHA-2, that they’re in the later camp. I’m sure that JimRob and his crew are working hard to upgrade the system.

Again, this warning DOES NOT MEAN your information is necessarily vulnerable! It just means that it’s not currently at “best practices” level.

Here’s a description of the topic, if you’re interested.

https://www.lifewire.com/what-is-sha-1-2626011

Mark


22 posted on 03/03/2017 5:11:43 AM PST by MarkL (Do I really look like a guy with a plan?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gaffer

I’m getting the same error with the Silk browser (Amazon Kindle.)


23 posted on 03/03/2017 5:15:21 AM PST by mollynme (cogito, ergo freepum)
[ Post Reply | Private Reply | To 20 | View Replies]

To: mountn man

What a pleasant wake-me-up.


24 posted on 03/03/2017 5:36:08 AM PST by redfreedom
[ Post Reply | Private Reply | To 18 | View Replies]

To: Spktyr; Jim Robinson
OK .. I just overode the warning, hit advanced, and input my data

After it was all done, I hit continue and the page just sat there.

I hit continue a half a dozen times playing the double tap game and it just sat there ... I returned here via history.

JR ... did I come through or am I in never never land ?

25 posted on 03/03/2017 5:40:58 AM PST by knarf
[ Post Reply | Private Reply | To 12 | View Replies]

To: knarf

I’ve gotten blocked from FR by Firefox on different computers saying the site is unsafe and to hit the “Get Me Out Of Here” button.


26 posted on 03/03/2017 5:50:48 AM PST by SkyDancer (Ambition Without Talent Is Sad, Talent Without Ambition Is Worse)
[ Post Reply | Private Reply | To 1 | View Replies]

To: knarf

PS: Someone once told me it had to do with certificates or something on FF tools menu somewhere.


27 posted on 03/03/2017 5:51:50 AM PST by SkyDancer (Ambition Without Talent Is Sad, Talent Without Ambition Is Worse)
[ Post Reply | Private Reply | To 1 | View Replies]

To: knarf

JR ... did I come through or am I in never never land ?

****************

You may have come through a half a dozen times.
You may be paid up for the next six months.


28 posted on 03/03/2017 6:00:46 AM PST by deport
[ Post Reply | Private Reply | To 25 | View Replies]

To: knarf

Notice that the URL for FR Donate is: https://secure.freerepublic.com/donate/

Note that is HTTPS://

The S indicates that the link is secure — established between your browser and the recipient webpage.

Depending on your browser, in the address bar you should see some kind of indicator that the website is secure. Mine [Comodo IceDragon — a Firefox/Mozilla based browser] shows a green padlock. Some show the entire address in different color. Some show a locked padlock in the information bar.

Opera showed a certificate problem.

==

You might consider installing the add-on HTTPS ://EVERYWHERE. It automatically tries to connect your browser to other websites via the HTTPS secure, if the website does have an HTTPS website version.

https://www.eff.org/https-everywhere

HTTPS ://EVERYWHERE is available for Firefox and related Mozilla browsers, Crome, Opera, and Firefox for Android.

It is just another tool to try to help make websurfing a bit safer.


29 posted on 03/03/2017 6:21:20 AM PST by TomGuy
[ Post Reply | Private Reply | To 1 | View Replies]

To: knarf; Gaffer

No problem here. I am annoyingly secure and do not use Chrome or Firefox.


30 posted on 03/03/2017 6:50:06 AM PST by SisterK (its a spiritual war)
[ Post Reply | Private Reply | To 25 | View Replies]

To: knarf

I would simply remind folks we’re nearing the end of the FReepathon.

If there were serious security threats, we would have FReepers reporting them after over two months of donating through the FR Donation Site.

I’m not sure what is happening with you, but I trust the FR site.


31 posted on 03/03/2017 8:50:05 AM PST by DoughtyOne (NeverTrump, a movement that was revealed to be a movement. Thank heaven we flushed!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Spktyr

As soon as I read the post immediately SHA-1 came to mind.


32 posted on 03/03/2017 8:56:05 AM PST by bar sin·is·ter
[ Post Reply | Private Reply | To 7 | View Replies]

To: knarf

Mail a check.


33 posted on 03/03/2017 9:04:23 AM PST by Mears
[ Post Reply | Private Reply | To 25 | View Replies]

To: knarf; Spktyr; All

Yes, the problem is that Google, and now possibly Firefox, are “deprecating” their support for SHA-1 certificates:

https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html

John will eventually install a new certificate after he works out a couple other pressing issues, meanwhile, our SHA-1 certificate is current and is still valid (despite Google’s warning message) and our secure server continues to encrypt our transactions as before.

As you’ve already learned, you can click “Advanced” at the bottom of the warning message and override the message.

Or you can try a browser like Edge (default browser delivered with windows 10) and it works fine without the warning message.

Thank you very much.


34 posted on 03/03/2017 10:12:37 AM PST by Jim Robinson (Resistance to tyrants is obedience to God!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: knarf

When this happens, there is usually an error in the data and an error message like “Invalid address” meaning something in the name and address entered does not match the name and address the credit card company has on your account. Or it could be a missing phone number. Thanks again. Sorry you’re having all these problems.


35 posted on 03/03/2017 10:32:26 AM PST by Jim Robinson (Resistance to tyrants is obedience to God!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Jim Robinson

Jim, after the news that Google cracked SHA-1 wide open on February 23, 2017, even Edge is about to be updated to restrict SHA-1 certificates. I believe this patch is due out next Patch Tuesday, the 14th.

The certificate may still technically be valid, but very shortly no current browser will honor it without manual intervention, assuming it allows access at all.


36 posted on 03/03/2017 10:42:20 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 34 | View Replies]

To: TomGuy

That will not work with FR’s current certificate - or rather will not solve the problem.


37 posted on 03/03/2017 10:43:50 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: ConservativeMind

Google cracked SHA1 wide open and announced it on Feb 23 of this year. The attack would take a solo attacker with just one consumer machine 110 years, but a typical hacker botnet of just ~40k zombie machines can crack it in about a day.


38 posted on 03/03/2017 10:46:52 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Spktyr

Cracked wide open, eh. Yeah I read that too. Well, like I said, John will be updating the certificate as soon as he can.


39 posted on 03/03/2017 10:48:35 AM PST by Jim Robinson (Resistance to tyrants is obedience to God!)
[ Post Reply | Private Reply | To 36 | View Replies]

To: MarkL

Microsoft is now belatedly saying that they’re going to fix their SHA support issue next Patch Tuesday.

Also, the demonstrated vulnerability in SHA1 isn’t just a matter of document security but it also allows “man in the middle” type attacks. Given how many liberal techies over on DU hate us...


40 posted on 03/03/2017 10:51:40 AM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 22 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-53 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson