SUBSIM Radio Room Forums - View Single Post

Sean C · 10-15-17, 05:34 AM

I wouldn't untick the box about querying servers to confirm current validity. It may solve the problem in the short term, but it may allow a bad actor to use an outdated certificate in the future to spoof a website.

The "import" button under the authorities tab should work. Perhaps I should explain a little bit about what I think is going on so that you can make an informed decision about what is the best choice for you:

Websites that want to perform secure transactions (password and sensitive information exchanges) create a certificate which securely identifies themselves to the rest of the world. These certificates are unique and very hard (if not impossible) for most hackers to duplicate. But, that alone is not enough. It would be child's play for a hacker to generate a certificate with the website's name and try to pass it off as genuine. So, the website has their certificate signed by an authority to verify its authenticity. Very few CAs (Certificate Authorities) exist and they have worked hard to build a good online reputation.

This is an expensive process and requires a lot of information from the website wishing to have their certificate signed. In addition, the signatures and the certificates themselves have an expiration date. Every so often, the website must have their certificate re-signed to ensure that it is still valid. If a signature expires or if a website thinks their certificate may have been compromised or if they generate a new one for whatever reason, they must request a new signature from the CA. Also, if the CA itself generates a new certificate and the old signature expires, the website will need to request a new signature from the CA to remain up-to-date.

Browsers such as Firefox keep a list of valid Certificate Authority certificates and query servers to determine whether these certificates are up-to-date. If a website has a certificate which is signed by a current CA's certificate, it is deemed trustworthy. If, for whatever reason, things don't match up (and the browser is configured to protect you)...the browser will block the website from exchanging information which might be sensitive in nature.

So, here's a list of things I suspect might have happened to cause your problem:

The CA's (in this case: Symantec) certificate was not updated in your browser, thus the signature and/or certificate has expired.
The website's certificate was not updated and thus the signature and/or certificate has expired.
The CA's certificate was somehow deleted from your browser's cache of trusted authorities, resulting in an unrecognized and therefore untrusted signature.
You are actually the target of a malicious attack (such as DNS spoofing) and your computer is being presented with a false certificate which does not have a valid signature from a trusted CA.

In any case, Firefox is trying to protect you from exposing potentially sensitive information to a non-trusted source. (This is why I recommend you don't turn off the checks for whether certificates are still valid.) If you are planning on conducting financial transactions with the website in question, I would err on the side of extreme caution and download Symantec's signing certificate directly from their website. If you'd like, I may be able to export Symantec's certificate from my system and upload it here.

But, I think it would be best if you check to make sure your version of Firefox is up-to-date and that all of your certificates are also being updated. This will ensure that any online transaction you perform with a trusted source will be secure. I would be happy to explain further anything which I may have not already explained well enough. Just ask.

Cheers,
Nate B.

10-15-17, 05:34 AM	#7
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 907 Downloads: 12 Uploads: 2	I wouldn't untick the box about querying servers to confirm current validity. It may solve the problem in the short term, but it may allow a bad actor to use an outdated certificate in the future to spoof a website. The "import" button under the authorities tab should work. Perhaps I should explain a little bit about what I think is going on so that you can make an informed decision about what is the best choice for you: Websites that want to perform secure transactions (password and sensitive information exchanges) create a certificate which securely identifies themselves to the rest of the world. These certificates are unique and very hard (if not impossible) for most hackers to duplicate. But, that alone is not enough. It would be child's play for a hacker to generate a certificate with the website's name and try to pass it off as genuine. So, the website has their certificate signed by an authority to verify its authenticity. Very few CAs (Certificate Authorities) exist and they have worked hard to build a good online reputation. This is an expensive process and requires a lot of information from the website wishing to have their certificate signed. In addition, the signatures and the certificates themselves have an expiration date. Every so often, the website must have their certificate re-signed to ensure that it is still valid. If a signature expires or if a website thinks their certificate may have been compromised or if they generate a new one for whatever reason, they must request a new signature from the CA. Also, if the CA itself generates a new certificate and the old signature expires, the website will need to request a new signature from the CA to remain up-to-date. Browsers such as Firefox keep a list of valid Certificate Authority certificates and query servers to determine whether these certificates are up-to-date. If a website has a certificate which is signed by a current CA's certificate, it is deemed trustworthy. If, for whatever reason, things don't match up (and the browser is configured to protect you)...the browser will block the website from exchanging information which might be sensitive in nature. So, here's a list of things I suspect might have happened to cause your problem: The CA's (in this case: Symantec) certificate was not updated in your browser, thus the signature and/or certificate has expired. The website's certificate was not updated and thus the signature and/or certificate has expired. The CA's certificate was somehow deleted from your browser's cache of trusted authorities, resulting in an unrecognized and therefore untrusted signature. You are actually the target of a malicious attack (such as DNS spoofing) and your computer is being presented with a false certificate which does not have a valid signature from a trusted CA. In any case, Firefox is trying to protect you from exposing potentially sensitive information to a non-trusted source. (This is why I recommend you don't turn off the checks for whether certificates are still valid.) If you are planning on conducting financial transactions with the website in question, I would err on the side of extreme caution and download Symantec's signing certificate directly from their website. If you'd like, I may be able to export Symantec's certificate from my system and upload it here. But, I think it would be best if you check to make sure your version of Firefox is up-to-date and that all of your certificates are also being updated. This will ensure that any online transaction you perform with a trusted source will be secure. I would be happy to explain further anything which I may have not already explained well enough. Just ask. Cheers, Nate B.