Windows 10, Firefox 54.0.
Both cryptostorm.net and resellers.cryptostorm.org use "cryptostorm.org" cert. Firefox doesn't want to go to that addresses.
It's realy weird to see such problems on crypto related service.
Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
SSL cert problems with cryptostorm sites
Re: SSL cert problems with cryptostorm sites
+1
Linux, Firefox 55.0.2 + Chromium 60.0.3112.113.
This is extremely annoying, and it makes much of your website content inaccessible.
@CS can you please either buy a wildcard or add a Subject Alternate Name for your many subdomains? I know of at least these SANs needed for cryptostorm.org
* pki
* haf
* resellers
* bootstrap
* tcp
Unlimited SANs are free with a free Let's Encrypt certificate.
If you insist on sticking with COMODO, then looks like you'll need either their wildcard cert ($550/yr) or UC cert ($400/yr)
* https://ssl.comodo.com/wildcard-ssl-certificates.php
* https://ssl.comodo.com/unified-communic ... icates.php
After that, can you please look into enabling HSTS (to prevent downgrade attacks), adding HPKP (to pin specific certs & CAs), and adding a CAA record (to help reduce malicious certs from being generated from CAs that you whitelist with HPKP).
I have a guide on doing HPKP properly with Let's Encrypt here, and I'd be happy to offer consulting services if you lack the resources to achieve this:
* https://tech.michaelaltfield.net/2017/0 ... s-encrypt/
Honestly, it's a red flag to any potential buyer that your team doesn't understand security when you have incorrectly configured your https certificates for your web servers.
Linux, Firefox 55.0.2 + Chromium 60.0.3112.113.
This is extremely annoying, and it makes much of your website content inaccessible.
@CS can you please either buy a wildcard or add a Subject Alternate Name for your many subdomains? I know of at least these SANs needed for cryptostorm.org
* pki
* haf
* resellers
* bootstrap
* tcp
Unlimited SANs are free with a free Let's Encrypt certificate.
If you insist on sticking with COMODO, then looks like you'll need either their wildcard cert ($550/yr) or UC cert ($400/yr)
* https://ssl.comodo.com/wildcard-ssl-certificates.php
* https://ssl.comodo.com/unified-communic ... icates.php
After that, can you please look into enabling HSTS (to prevent downgrade attacks), adding HPKP (to pin specific certs & CAs), and adding a CAA record (to help reduce malicious certs from being generated from CAs that you whitelist with HPKP).
I have a guide on doing HPKP properly with Let's Encrypt here, and I'd be happy to offer consulting services if you lack the resources to achieve this:
* https://tech.michaelaltfield.net/2017/0 ... s-encrypt/
Honestly, it's a red flag to any potential buyer that your team doesn't understand security when you have incorrectly configured your https certificates for your web servers.
Michael Altfield
https://www.michaelaltfield.net
https://www.michaelaltfield.net
Re: SSL cert problems with cryptostorm sites
That's an old issue left over from a former admin who liked to use sub-domains instead of /directories just because it "looked cooler" to him, even though I told him from the beginning not to use them.
As a result, a lot of places outside of CS have links to old http://whatever.cryptostorm.org/ pages that haven't been active since before HTTPS was forced on the forum in early 2013.
I've tried to fix as many broken links as I could find, but I'm sure there's still a bunch in the forum that I've missed.
In the fixed cases, I've converted the old http://whatever.cryptostorm.org/ format to whatever so that the page is accessible without any SSL errors
(So http://pki.cryptostorm.org/ would be accessed at pki , etc.)
As for cryptostorm.net, that's always been a simple redirect to cryptostorm.org, so anyone going to https://cryptostorm.net/ would be doing so manually (or because of a browser addon). But that shouldn't be linked anywhere, even external to CS since there's never been a webpage on that domain.
EDIT:
As for HSTS and HPKP, the former was causing problems with a lot of browsers caching the incorrect subdomains, and most browsers don't allow you to bypass an HSTS error as you can a plain certificate error. If I remember correctly, the reason we didn't do HPKP on this website or the main cryptostorm.is one was related to those coming here using older browsers (which is often enough that it would cause issues).
As a result, a lot of places outside of CS have links to old http://whatever.cryptostorm.org/ pages that haven't been active since before HTTPS was forced on the forum in early 2013.
I've tried to fix as many broken links as I could find, but I'm sure there's still a bunch in the forum that I've missed.
In the fixed cases, I've converted the old http://whatever.cryptostorm.org/ format to whatever so that the page is accessible without any SSL errors
(So http://pki.cryptostorm.org/ would be accessed at pki , etc.)
As for cryptostorm.net, that's always been a simple redirect to cryptostorm.org, so anyone going to https://cryptostorm.net/ would be doing so manually (or because of a browser addon). But that shouldn't be linked anywhere, even external to CS since there's never been a webpage on that domain.
EDIT:
As for HSTS and HPKP, the former was causing problems with a lot of browsers caching the incorrect subdomains, and most browsers don't allow you to bypass an HSTS error as you can a plain certificate error. If I remember correctly, the reason we didn't do HPKP on this website or the main cryptostorm.is one was related to those coming here using older browsers (which is often enough that it would cause issues).
Return to “general chat, suggestions, industry news”
Who is online
Users browsing this forum: No registered users and 13 guests