Wesnoth site and forum security allert.

Discussion of all aspects of the website, wiki, and forums, including support requests and new ideas.

Moderators: Forum Moderators, Developers

Post Reply
Yomar
Posts: 300
Joined: October 27th, 2011, 5:14 am
Contact:

Wesnoth site and forum security allert.

Post by Yomar » June 8th, 2016, 12:38 pm

I just wanted to inform that recently every time I try to access to the Wesnoth webpage or forum, my browsers warn me that the site is risky to visit, and i have to add an exception in the security settings to be able to access.

User avatar
Dugi
Posts: 4931
Joined: July 22nd, 2010, 10:29 am
Location: Carpathian Mountains
Contact:

Re: Wesnoth site and forum security allert.

Post by Dugi » June 8th, 2016, 12:52 pm

I had the same issue, a warning that the site's certificate had expired. Yesterday or on Monday, not sure when it exactly was, but it appears to be fixed now.

It was a bit more annoying for me because I use Pale Moon and it does not allow me to add exceptions. One of the two things I don't like about the browser.

User avatar
Iris
Site Administrator
Posts: 6588
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: Wesnoth site and forum security allert.

Post by Iris » June 8th, 2016, 5:46 pm

Yomar wrote:I just wanted to inform that recently every time I try to access to the Wesnoth webpage or forum, my browsers warn me that the site is risky to visit, and i have to add an exception in the security settings to be able to access.
And which browsers are these? Also, are you using http or https to access the pages in question?
Dugi wrote:I had the same issue, a warning that the site's certificate had expired. Yesterday or on Monday, not sure when it exactly was, but it appears to be fixed now.

It was a bit more annoying for me because I use Pale Moon and it does not allow me to add exceptions. One of the two things I don't like about the browser.
Yes, this was fixed about 1 hour after it first came up and it’s probably not what the OP is talking about. That issue was a little more involved and no sane browser would allow adding an exception for that particular case, for very good reasons.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.

Airatgaljamov
Posts: 63
Joined: April 12th, 2009, 6:04 pm

Re: Wesnoth site and forum security allert.

Post by Airatgaljamov » June 14th, 2016, 4:44 pm

Have a "Your connection is not private" (NET::ERR_CERT_AUTHORITY_INVALID) problem on Chrome browser for Android. Chrome on Windows works perfectly fine.

User avatar
Pentarctagon
Forum Administrator
Posts: 4105
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: Wesnoth site and forum security allert.

Post by Pentarctagon » June 15th, 2016, 5:56 am

Works fine for Linux/Firefox, with https enforced by the HTTPS-Everywhere add-on as well as the about:config options security.ssl.require_safe_negotiation and security.ssl.treat_unsafe_negotiation_as_broken set to True.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code

User avatar
Rhonda
Site Administrator
Posts: 47
Joined: January 26th, 2008, 9:13 pm
Location: Vienna, Austria, Europe, Earth, Milky Way
Contact:

Re: Wesnoth site and forum security allert.

Post by Rhonda » June 15th, 2016, 8:23 am

Yomar wrote:I just wanted to inform that recently every time I try to access to the Wesnoth webpage or forum, my browsers warn me that the site is risky to visit, and i have to add an exception in the security settings to be able to access.
Hi. My bad. Or rather, Let's Encrypt's one. They changed the cert they signed with and thus the intermediate has to get changed too. I didn't notice this change and now have adapted the update script so that it would pick up that part automaticly (hopefully).

Sorry for the inconvenience,
Rhonda

GbDorn
Posts: 60
Joined: March 26th, 2014, 5:07 pm

Re: Wesnoth site and forum security allert.

Post by GbDorn » June 15th, 2016, 1:31 pm

Pentarctagon wrote:Works fine for Linux/Firefox, with https enforced by the HTTPS-Everywhere add-on
Without the add-on it didn't work for me with latest Firefox on Ubuntu 14.04 & 15.10 until today. I always got SEC_ERROR_UNKNOWN_ISSUER.
Running SSL Labs's test as advised by Mozilla indicated a broken certificates chain as the Let's Encrypt certificate served by the Wesnoth servers was the old one.

Thanks, Rhonda!

User avatar
Pentarctagon
Forum Administrator
Posts: 4105
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: Wesnoth site and forum security allert.

Post by Pentarctagon » June 16th, 2016, 12:11 am

GbDorn wrote:
Pentarctagon wrote:Works fine for Linux/Firefox, with https enforced by the HTTPS-Everywhere add-on
Without the add-on it didn't work for me with latest Firefox on Ubuntu 14.04 & 15.10 until today. I always got SEC_ERROR_UNKNOWN_ISSUER.
Running SSL Labs's test as advised by Mozilla indicated a broken certificates chain as the Let's Encrypt certificate served by the Wesnoth servers was the old one.

Thanks, Rhonda!
Huh. Somehow I don't think that add-on is supposed to be suppressing warnings like that :hmm:
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code

User avatar
iceiceice
Developer
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: Wesnoth site and forum security allert.

Post by iceiceice » June 16th, 2016, 3:48 am

Pent, maybe you also have the old Let's Encrypt key installed.

User avatar
Pentarctagon
Forum Administrator
Posts: 4105
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: Wesnoth site and forum security allert.

Post by Pentarctagon » June 17th, 2016, 12:45 am

I don't know why I would, unless Firefox is keeping the old version around for some reason. Also, unless I'm misunderstanding how this works, if I was still using the old certificate I should have been getting the error. I am not getting the error now, even with HTTPS-Everywhere disabled, so the old certificate is gone now at least.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code

User avatar
iceiceice
Developer
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: Wesnoth site and forum security allert.

Post by iceiceice » June 17th, 2016, 3:06 am

I am not an expert in security matters, but, the way I understand that it works is that there is a collection of keys that are stored on your system and listed as "trusted" root certificates. You might have several of them from several companies. When your browser wants to verify a signature from a website, it will just try to match it against all the different trusted keys it has -- if any of them works, then it is a trusted signature.

You might have several root signatures from the *same* company so far as I know. It's not exactly like software where you delete the old version and install the new version to upgrade.

When your browser verifies a signature, you don't talk to Let's Encrypt servers -- the only thing you have from them is the key on your hard drive.

When Let's Encrypt decides to role out a new key, the old one doesn't just stop working -- any website that was using that old key can still be trusted by any browser that also has the old key. Any changes have to be installed on everyone's machines, so it will take a while to percolate down to everyone.

Given that, when you get a new key from Let's Encrypt, you probably don't want to just delete the old one, or you won't be able to view websites that didn't upgrade yet. Just because they didn't upgrade yet doesn't mean they are malicious.

But, someone who installs a new browser on some platform might not get the old key when they do. It depends on the whim of who created the browser installer I guess, and whether they have any other trusted keys on their system for some reason.

So, I think it could easily happen that people on different platforms have different sets of trusted keys, potentially from different companies, and of different ages, and you might personally have some overlaps also. AFAIK.

Tad_Carlucci
Developer
Posts: 478
Joined: April 24th, 2016, 4:18 pm

Re: Wesnoth site and forum security allert.

Post by Tad_Carlucci » June 17th, 2016, 8:33 pm

When I first saw this, a few days ago, I immediately checked the certificate chain and everything was fine.

I do, however, remember reading and thinking, "Well, it's a mobile device." There are a number of Google results for this issue on Android, most are technical for the programmers, but those for users generally suggest checking the clock, rebooting, trying a different WiFi network, and making sure everything is up-to-date.

A recent experience makes me think clock drift or out-dated software (probably Android, not Chrome) would be the likely culprits.
I forked real life and now I'm getting merge conflicts.

User avatar
Pentarctagon
Forum Administrator
Posts: 4105
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: Wesnoth site and forum security allert.

Post by Pentarctagon » June 17th, 2016, 11:34 pm

Well, it's been fixed, and I don't have the slightest idea of how I would go about testing this, so I guess we'll never know for sure. Honestly I'm pretty surprised it was so simple to reproduce; I've got several other privacy/security add-ons, more than a few about:config tweaks setup, and I'm on the Aurora/Alpha version of Firefox to get access to the multiprocess feature. That it ended up being just the HTTPS-Everywhere add-on doing something is sort of amazing.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code

gnombat
Posts: 246
Joined: June 10th, 2010, 8:49 pm
Contact:

Re: Wesnoth site and forum security allert.

Post by gnombat » June 18th, 2016, 3:08 am

I've seen similar issues before with Let's Encrypt certificates, where a misconfigured site will work for some people's browsers but not for others; I believe the issue is caused by caching of intermediate certificates as described here:

https://blogs.gnome.org/mcatanzaro/2015 ... om-fiasco/

(I don't think the HTTPS-Everywhere add-on has anything to do with it.)

Post Reply