Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

SSL cert problems with cryptostorm sites

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
Timm

SSL cert problems with cryptostorm sites

Postby Timm » Thu Jun 29, 2017 2:47 am

Windows 10, Firefox 54.0.
Both cryptostorm.net and resellers.cryptostorm.org use "cryptostorm.org" cert. Firefox doesn't want to go to that addresses.
It's realy weird to see such problems on crypto related service.


maltfield
Posts: 4
Joined: Mon Jul 24, 2017 2:47 am
Contact:

Re: SSL cert problems with cryptostorm sites

Postby maltfield » Sat Sep 16, 2017 9:32 pm

+1

Linux, Firefox 55.0.2 + Chromium 60.0.3112.113.

This is extremely annoying, and it makes much of your website content inaccessible.

@CS can you please either buy a wildcard or add a Subject Alternate Name for your many subdomains? I know of at least these SANs needed for cryptostorm.org

* pki
* haf
* resellers
* bootstrap
* tcp

Unlimited SANs are free with a free Let's Encrypt certificate.

If you insist on sticking with COMODO, then looks like you'll need either their wildcard cert ($550/yr) or UC cert ($400/yr)

* https://ssl.comodo.com/wildcard-ssl-certificates.php
* https://ssl.comodo.com/unified-communic ... icates.php

After that, can you please look into enabling HSTS (to prevent downgrade attacks), adding HPKP (to pin specific certs & CAs), and adding a CAA record (to help reduce malicious certs from being generated from CAs that you whitelist with HPKP).

I have a guide on doing HPKP properly with Let's Encrypt here, and I'd be happy to offer consulting services if you lack the resources to achieve this:

* https://tech.michaelaltfield.net/2017/0 ... s-encrypt/

Honestly, it's a red flag to any potential buyer that your team doesn't understand security when you have incorrectly configured your https certificates for your web servers.

User avatar

df
Site Admin
Posts: 283
Joined: Thu Jan 01, 1970 5:00 am

Re: SSL cert problems with cryptostorm sites

Postby df » Mon Sep 18, 2017 3:13 pm

That's an old issue left over from a former admin who liked to use sub-domains instead of /directories just because it "looked cooler" to him, even though I told him from the beginning not to use them.

As a result, a lot of places outside of CS have links to old http://whatever.cryptostorm.org/ pages that haven't been active since before HTTPS was forced on the forum in early 2013.

I've tried to fix as many broken links as I could find, but I'm sure there's still a bunch in the forum that I've missed.
In the fixed cases, I've converted the old http://whatever.cryptostorm.org/ format to whatever so that the page is accessible without any SSL errors
(So http://pki.cryptostorm.org/ would be accessed at pki , etc.)

As for cryptostorm.net, that's always been a simple redirect to cryptostorm.org, so anyone going to https://cryptostorm.net/ would be doing so manually (or because of a browser addon). But that shouldn't be linked anywhere, even external to CS since there's never been a webpage on that domain.

EDIT:
As for HSTS and HPKP, the former was causing problems with a lot of browsers caching the incorrect subdomains, and most browsers don't allow you to bypass an HSTS error as you can a plain certificate error. If I remember correctly, the reason we didn't do HPKP on this website or the main cryptostorm.is one was related to those coming here using older browsers (which is often enough that it would cause issues).


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 17 guests

cron

Login