ROOL's Certs Expired

a “special” relationship with the FAA where it gets to certify itself?

I remember thinking, when I first read about that, that it was a /very/ bad idea. Manufacturers manufacture; regulators regulate. The solution to the latter’s lack of resources (apparently) was not to give the fox the key to the henhouse.

In the case of Firefox, when it errors on certificates, it shows 2 buttons, one to get out of there, the other to received details. If you click on that one, you get another page which allows you to continue at your own risks. At least that’s what I get with the latest versions on Windows and Raspbian.

Generally I’ve had that experience with Firefox too. In this particular case, Firefox told me that the site itself had refused to continue.

Alas, HSTS mandates this failure mode, see https://www.rfc-editor.org/rfc/rfc6797.html#section-12.1

I agree with druck – this way lies madness.

Section 12.1 explains why users should not get the option to “click through”.

I agree with druck – this way lies madness.

It’s not for people like us. It’s for the majority that, once upon a time, thought that the little blue ‘e’ was “the internet”, who don’t know what HSTS is, and who wouldn’t understand the description if they Googled it.

This site is explicitly saying to refuse a connection if there’s an error with the certificate. The browser is doing exactly that.

For what it’s worth, I fully agree. This linked picture shows what the KFC Laval access point did when I visited this very site back in 2016.
And, yes, the access point is trying to actively man-in-the-middle your “secure” connections by foisting it’s own certificate on you.
I wonder how many of the patrons understood what was happening, or if they just clicked whatever to get past this weird unexpected message.

I certainly think HSTS should not be bypassable by a simple click. Maybe three, asking different questions! And a big red scrolling banner in the offending page(s) saying ‘Your data is probably being stolen!!!’ I say this as someone who managed to lock themselves out of a site they manage for a few days ’cos of HSTS and a cert screwup.

HSTS protecting against MITM attacks using invalid certificates is fine, but a the expiry of a certificate which is in all other ways valid for the domain is not an MITM, it’s a frequently occurring administrative failure which you should be allowed to manually overrule.

you should be allowed to manually overrule.

As I said, you and I understand what the messages mean. Does the “man on the street”?

it’s a frequently occurring administrative failure

Therein lies the problem. Better administration. Stick an entry into your calendar (if it’s not done automatically).

Note, in this specific case, the hosting screwed something up and ROOL has put in a temporary Let’s Encrypt until it gets fixed. So it wasn’t ROOL forgetting.
Just wanted to clarify that. ;)

As I said, you and I understand what the messages mean. Does the “man on the street”?

I’m of the opinion that there should be a large unguarded hole in the middle of the pavement with a meat grinder at the bottom, ready for the “man on the street” who’s only concentrating on his mobile phone.

I agree, but “lowest common denominator”…

(aka: you suffer annoyances in order to protect them from themselves)

The trouble with that is that the meat will be contaminated with pulverised phone.

Therein lies the problem. Better administration. Stick an entry into your calendar (if it’s not done automatically).

Beep, beep, Wile E. Coyote has a friend on the case.

ACME commercial info, and another option CERTBOT

which you should be allowed to manually overrule

The typical user clicks the allow exception link so fast you’d be hard-pressed to get a workable idea of the content of the message, even with true photographic memory.
Do not click on spam links – they do.
Do not click on spam links in emails that say this – they do.

Modern browser behaviour and server settings like HSTS exist to attempt to prevent the MitM attack.
Rick speaks of the lowest common denominator – I suspect none of you quite appreciate how low that really is.

Stick an entry into your calendar (if it’s not done automatically).

90 day intervals will be the thing soon

The typical user clicks the allow exception link so fast you’d be hard-pressed to get a workable idea of the content of the message, even with true photographic memory.

No link until you’ve gone to about about:config navigated past 30,000 other options and set

AssumeImAFuckingIdiot=false

David Ruck: if you don’t like this site being protected by HSTS, I’d suggest your course of action should be to petition ROOL to reduce its protection. Not to rail against HSTS itself.

You may find you don’t get much support from the users here, though, as it’s clear that some understand the virtues of HSTS.

I agree with the suggestion of using certbot in automatic mode. But whatever, it’s clear that forgetting to renew certs is a nuisance. Even some big companies do it, although having to pay for certs adds another layer of complexity and chance of failure.

It’s nothing to do with this site, it’s the brain dead decision by the browser makers to treat an expired but otherwise valid certificate as a MITM attack and to remove the ability to override the block, when as you say this is something that regularly affects big companies and government websites.

I’d suggest your course of action should be to petition ROOL to reduce its protection.

Hmmm, different arrangements for the sales links and the rest?

I agree with the suggestion of using certbot in automatic mode.

That ACME pair of links was actually intended as a pointer for our general readership so that they can do a fire-and-forget for their web sites, rather than chase their tails about cert renewals.
The ROOL expiry was apparently a different issue, where the assumption was that the hosting people would do what was in the contract on time.

It’s nothing to do with this site, it’s the brain dead decision by the browser makers to treat an expired but otherwise valid certificate as a MITM attack and to remove the ability to override the block, when as you say this is something that regularly affects big companies and government websites.

I like the behaviour. I get the opportunity to point users at where most of their problems originate¹ weekly, or more often.

¹ Out there, not on site.

Sorry about the hassle. There were problems with the SSL reseller we get our Comodo stuff from and renewal didn’t happen properly.

I temporarily put in a Let’s Encrypt hand-rolled cert for a couple of days while I waited for Support to help then, this morning (NZ time) put back our “correct” certificate, good up until the start of next year. Hopefully this means everyone is able to use their preferred web browser, feed reader etc. as usual again!

good up until the start of next year.

Keep your eye’s open for the push to shorten the validity.
A bit of test server checking of automation wouldn’t go amiss. It’s a conversation I’m having with people at work.

to treat an expired but otherwise valid certificate

That’s an oxymoron, and that’s why the browser said no.

Certificate authorities seem to have been shortening validity periods over the past 10 years, allegedly on security grounds, although the cynic in me notes that they charge the same (plus inflation) for the shorter period certificates.

Shorter expiry periods do make sense from a security point of view, less scope for a rogue certificate to cause problems. The cost has largely been avoided with companies like LetEncrypt, who will issue SSL certs for free unless your usage is very very atypical. (LetsEncrypt is the best known, but there are several others out there).

It is intended as a user of LetsEncrypt you will automate the certificate renewal process, hence why they have a 3 month expiry time. Their eventual goal is to reduce this to days. Other free issuers work the same.

It’s nothing to do with this site, it’s the brain dead decision by the browser makers to treat an expired but otherwise valid certificate as a MITM attack and to remove the ability to override the block, when as you say this is something that regularly affects big companies and government websites.

It’s a valid decision, on average half the users are idiots, and most browser makers are American, where sueballs exist. :)

The override for HSTS (for Chrome/Edge) is to click in the browser window, then type ‘thisisunsafe’.

(With my developer hat on) sometimes this is just easier.

It’s nothing to do with this site, it’s the brain dead decision by the browser makers to treat an expired but otherwise valid certificate as a MITM attack

I’ve come across a high profile (within the electronic components industry) case of someone forgetting to renew their domain name, with the result that their web site was immediately taken over to distribute gay porn. Dunno whether certificates would help in that case though.