ROOL's Certs Expired

ROOL’s website certificate(s) expired on 19th. Having to use private windows on Safari & Opera to gain access.

ROOL’s website certificate(s) expired on 19th.

At 23:59 to be precise.

Having to use private windows on Safari & Opera to gain access.

Edge on Windows also connects with barely a murmur, a red triangle flag doesn’t really cut it in security terms – especially as the site has HSTS flags set, so the browser should refuse to connect when the certificate isn’t valid.

Or just use Iris = simply says “expired” and continues.

Or just use Iris = simply says “expired” and continues.

I much prefer my browser to work properly, and continuing to a site that has a declared HSTS setup and an invalid certificate is not proper behaviour.

I can’t access the site from either Chrome/Chromium or Firefox, as they have removed the ability to ignore expired certificates and continue. The only thing I can get in on is NetSurf on RISC OS (via VNC), which I hope isn’t the intention.

Having to use private windows on Safari & Opera to gain access.

I’m accessing through the oddity that is the .co.uk domain.

This is possible because, technically, there is no valid certificate to check so you can choose to continue at your own risk (but note that it is not using SSL in that case).

It looks like it is supposed to redirect to the .org, but that fails for some reason.

as they have removed the ability to ignore expired certificates

If you read the actual error explanation rather than just what’s up with the SSL layer, you’ll see that it isn’t actually the browser at fault here.

This site, at least the .org incarnation, specifies HSTS (the Strict-Transport-Security header). What this means is “either connect using secure sockets or refuse the connection”.

Interestingly the .co.uk version doesn’t give any special headers.

Because the certificate is invalid (the reason why doesn’t matter), the connection must be dropped.

Any browser that connects to the .org site in this situation…..quite frankly cannot be trusted to do the right thing in the case of something more serious than an expired certificate.

(allowances can be made for things that are too old to know what HSTS is, that’s possibly how NetSurf allows a way in ;) )

I can’t access the site from either Chrome/Chromium or Firefox, as they have removed the ability to ignore expired certificates and continue. The only thing I can get in on is NetSurf on RISC OS (via VNC), which I hope isn’t the intention.

Firefox reports the issue but still offers you the possibility to continue at your own risks.

allowances can be made for things that are too old to know what HSTS is, that’s possibly how NetSurf allows a way in

The current NetSurf 3.12 gives an error message.

“Firefox reports the issue but still offers you the possibility to continue at your own risks”
The new Firefox on Android did not allow, in now way.

But now the certificate got renewed, it seems…

Firefox reports the issue but still offers you the possibility to continue at your own risks.

I don’t know what version of Firefox you’re using, but mine would not let me in at all. Version 121.0.1 (64-bit) on Ubuntu.

Ahh, that explains why the site’s been erroring for me (Safari on Mac). Admittedly I didn’t actually read the message and just figured it would resolve itself in time… and it did! :)

But now the certificate got renewed,

Replaced would be a better description.
The previous one was Sectigo IIRC, the new one is Let’s Encrypt and probably setup with a script that checks the age and does an auto update.

Interestingly, the Home page has a bit of an error:

Latest news
SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure

News from an impeccable source is that ROOL’s provider screwed up the renewal.

My web site provider auto-renews certificates for me. I gather it’s a common arrangement.

I have already reported the Home page problem to the ‘impeccable source’ down under.

the Home page problem

I think the clue may be in the mention of particular protocols " SSLv2/v3 read server hello A: sslv3 alert handshake failure"

The previous certificate was issued two years ago¹ during that time SSLv3 went from “deprecated” to a state best described as “bury at crossroads at midnight with a holly stake through its heart to kill off the undead”
The new certificate may not be valid for antiquated protocols, or more accurately the ciphers available for those protocols.

¹ Certificate authorities seem to have been shortening validity periods over the past 10 years, allegedly on security grounds, although the cynic in me notes that they charge the same (plus inflation) for the shorter period certificates.
There must be money in it, or Google and Amazon wouldn’t have become certificate issuers.

There must be money in it, or Google and Amazon wouldn’t have become certificate issuers.

Both run clouds and make a lot of IoT crap. It would make sense for them to not have to rely on a third party for their certs.

If you read the actual error explanation rather than just what’s up with the SSL layer, you’ll see that it isn’t actually the browser at fault here.

But it is, it can warn as much as it likes, but there should always be an override.

It’s the browser equivalent of MCAS.

I think you’ve not fully understood the definition of HSTS.

But it is, it can warn as much as it likes, but there should always be an override.

I guess you’re just going to love the push to put HSTS on everything and browsers implementing HTTPS-only mode as a default.

It’s the browser equivalent of MCAS

Surely you meant to type MDCA ??

As a general language description, I’d say that HSTS was about verifying the remote host and the integrity of the connection chain from that host to your browser. MDCA is about validating the cloud application on varying hosts.

No MCAS as in Boeing 737 MAX, as in flying a perfectly airworthy plane in to the ground because some software thought it knew best.

And I’m fully aware of what HSTS is, but as the pilot in command of the browser, it is my choice to visit a site or not.

Speaking as both a software engineer who’s worked in aerospace, and as a pilot.

it is my choice to visit a site or not. …and as a pilot.

Fine, but if the airport says the runway is out of action, you don’t get the option to land there.

No runway – Fine – use a field instead:-/

Fine, but if the airport says the runway is out of action, you don’t get the option to land there.

I think, in certain circumstances, the pilot tends to say “it’s reasonably flat and reasonably smooth, it will do.”

As to Boeing, would that be the company that throws up chaff like “the part that fell off an Alaska Airlines flight was made in Malaysia” while quietly omitting the rather more pertinent facts that:
1. The part appeared to be intact when it hits someone’s garden, so not looking like a part failure
2. The part was fitted in America, but it would seem not very well fitted.

Didn’t someone’s phone fall down and still work.

“it’s reasonably flat and reasonably smooth, it will do.”

. . . the Hudson River.

As to Boeing, would that be the company

…that has a “special” relationship with the FAA where it gets to certify itself?