If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg So, I admit, I try to go to piratebay to search about stuff that is available for download. I'm not sure the difference, but it happens with these sites: thepiratebay.to thepiratebay.la thepiratebay.gd My av program won't let me get there. http://i.imgur.com/mkL4pt2.jpg It says: "the following certificate is invalid sni34388.cloudflares1.com Huh? What is cloudflares1? I didn't go there, did I? I guess the certificate "is" for cloudflares1, but, what does that mean, to me? It's a dodgy site to begin with anyway, so, should I expect this? Or is this abnormal? How do I INTERPRET what the problem is? Is it severe enough to turn off the av checks? Is it an innocuous message? How "critical" is this message? I realize it means "something" is wrong with the certificate for the encryption of that web site. But it's a dodgy web site to start with, isn't it? So, should I be worried if I were to turn off my av program? Why? |
Ads |
#2
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bayis "invalid"?
Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"? http://i.imgur.com/mkL4pt2.jpg So, I admit, I try to go to piratebay to search about stuff that is available for download. I'm not sure the difference, but it happens with these sites: thepiratebay.to thepiratebay.la thepiratebay.gd My av program won't let me get there. http://i.imgur.com/mkL4pt2.jpg It says: "the following certificate is invalid sni34388.cloudflares1.com Huh? What is cloudflares1? I didn't go there, did I? I guess the certificate "is" for cloudflares1, but, what does that mean, to me? It's a dodgy site to begin with anyway, so, should I expect this? Or is this abnormal? How do I INTERPRET what the problem is? Is it severe enough to turn off the av checks? Is it an innocuous message? How "critical" is this message? I realize it means "something" is wrong with the certificate for the encryption of that web site. But it's a dodgy web site to start with, isn't it? So, should I be worried if I were to turn off my av program? Why? Full disclosure - I know absolutely nothing about certificate architecture, how it's checked or revoked... I'm just following cookie crumbs here. Since Avast flagged it, and not the browser, I would have to assume it's an Avast problem of some sort. https://www.ssllabs.com/ssltest/ https://www.ssllabs.com/ssltest/anal...=104.18.58.159 Issuer COMODO ECC Domain Validation Secure Server CA 2 Revocation status Good (not revoked) Trusted Yes The SNI in the name of your certificate link, suggests it is one of these. https://en.wikipedia.org/wiki/Server_Name_Indication Avast had some sort of problem like this a year ago. Avast apparently inserts its own certificate, but where, or for what reason, who knows. Maybe it does that, in the same way as the ssltest example above. https://forum.avast.com/index.php?topic=161516.0 I don't know how an ordinary user is supposed to figure this stuff out. You could easily shoot yourself in the foot, depending on what you do next... Paul |
#3
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 11/14/2015 7:48 PM, Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"? http://i.imgur.com/mkL4pt2.jpg So, I admit, I try to go to piratebay to search about stuff that is available for download. I'm not sure the difference, but it happens with these sites: thepiratebay.to thepiratebay.la thepiratebay.gd My av program won't let me get there. http://i.imgur.com/mkL4pt2.jpg It says: "the following certificate is invalid sni34388.cloudflares1.com Huh? What is cloudflares1? I didn't go there, did I? I guess the certificate "is" for cloudflares1, but, what does that mean, to me? It's a dodgy site to begin with anyway, so, should I expect this? Or is this abnormal? How do I INTERPRET what the problem is? Is it severe enough to turn off the av checks? Is it an innocuous message? How "critical" is this message? I realize it means "something" is wrong with the certificate for the encryption of that web site. But it's a dodgy web site to start with, isn't it? So, should I be worried if I were to turn off my av program? Why? You should not be using Avast to check the validity of Web site certificates. Instead, you should use a browser that does it. I know that SeaMonkey and Firefox do it. I think Internet Explorer, Edge, Chrome, Safari, and Opera do it, too. When I see a message about an invalid certificate, it means I was trying to view a secure Web site (e.g., my bank) that has a problem with establishing a secure Internet connection with my browser. When I go to my bank's Web site, the Web server indicates that the site has a subscriber certificate that was digitally signed by some intermediate certificate. The server supplies my browser with public parts of both the subscriber and intermediate certificates. The intermediate certificate is supposed to be digitally signed by a root certificate that is contained in a database that is part of my browser. That is, the root certificate is on my computer. If this chain of certificates is complete -- if the signature on the subscriber certificate can indeed be traced to the intermediate certificate and if the signature on the intermediate certificate can indeed be traced to the root certificate -- a secure connection can then be established between my browser and the Web server. There are several reasons why the chain of certificates breaks down, leaving you with a message about an invalid certificate. Messages about invalid certificates usually indicate why the certificate is invalid. Among the reasons a * All certificates -- subscriber, intermediate, and root -- have expiration dates. Either a certificate has actually expired and needs to be replaced; or else your computer's clock is wrong, causing your computer to act as if a certificate has expired. * The system administrator for the Web server is an idiot and should not be trusted to be involved with secure Web browsing. This is evidenced by his or her failure to install the intermediate certificate on the server. Do not laugh; this is a very common problem. * Your browser's certificate database does not contain the required root certificate. This might happen if you are using an old browser, older than the root certificate. In your case, it could also happen if you are using an old version of Avast since Avast must contain a database of root certificates to check the chain of certificates. It is also possible that you accidentally deleted the file containing the database of root certificates. * The Web site you are trying to visit recently changed its domain name. The signed subscriber certificate was created for the old domain name. A new signed subscriber certificate is needed for the new domain name. Note that this can happen if the three Pirate Bay domains you cited are now merely aliases for sni34388.cloudflares1.com; the subscriber certificate must be for the actual domain and not its aliases. This is another instance of an idiot system administrator. Some browsers (e.g., SeaMonkey, Firefox) have the capability to override the detection of an invalid certificate. Perhaps Avast might have such a capability. However, this is a capability that should be used only with extreme caution. -- David E. Ross Pharmaceutical companies claim their drug prices are so high because they have to recover the costs of developing those drugs. Two questions: 1. Why is the U.S. paying the entire cost of development while prices for the same drugs in other nations are much lower? 2. Manufacturers of generic drugs did not have those development costs. Why are they charging so much for generics? |
#4
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 15/11/2015 07:06, David E. Ross wrote:
On 11/14/2015 7:48 PM, Kirk Jutland wrote: What does it mean (to me) when a "certificate" to pirate bay is "invalid"? http://i.imgur.com/mkL4pt2.jpg So, I admit, I try to go to piratebay to search about stuff that is available for download. I'm not sure the difference, but it happens with these sites: thepiratebay.to thepiratebay.la thepiratebay.gd My av program won't let me get there. http://i.imgur.com/mkL4pt2.jpg It says: "the following certificate is invalid sni34388.cloudflares1.com Huh? What is cloudflares1? I didn't go there, did I? I guess the certificate "is" for cloudflares1, but, what does that mean, to me? It's a dodgy site to begin with anyway, so, should I expect this? Or is this abnormal? How do I INTERPRET what the problem is? Is it severe enough to turn off the av checks? Is it an innocuous message? How "critical" is this message? I realize it means "something" is wrong with the certificate for the encryption of that web site. But it's a dodgy web site to start with, isn't it? So, should I be worried if I were to turn off my av program? Why? You should not be using Avast to check the validity of Web site certificates. Instead, you should use a browser that does it. I know that SeaMonkey and Firefox do it. I think Internet Explorer, Edge, Chrome, Safari, and Opera do it, too. When I see a message about an invalid certificate, it means I was trying to view a secure Web site (e.g., my bank) that has a problem with establishing a secure Internet connection with my browser. When I go to my bank's Web site, the Web server indicates that the site has a subscriber certificate that was digitally signed by some intermediate certificate. The server supplies my browser with public parts of both the subscriber and intermediate certificates. The intermediate certificate is supposed to be digitally signed by a root certificate that is contained in a database that is part of my browser. That is, the root certificate is on my computer. If this chain of certificates is complete -- if the signature on the subscriber certificate can indeed be traced to the intermediate certificate and if the signature on the intermediate certificate can indeed be traced to the root certificate -- a secure connection can then be established between my browser and the Web server. There are several reasons why the chain of certificates breaks down, leaving you with a message about an invalid certificate. Messages about invalid certificates usually indicate why the certificate is invalid. Among the reasons a * All certificates -- subscriber, intermediate, and root -- have expiration dates. Either a certificate has actually expired and needs to be replaced; or else your computer's clock is wrong, causing your computer to act as if a certificate has expired. * The system administrator for the Web server is an idiot and should not be trusted to be involved with secure Web browsing. This is evidenced by his or her failure to install the intermediate certificate on the server. Do not laugh; this is a very common problem. * Your browser's certificate database does not contain the required root certificate. This might happen if you are using an old browser, older than the root certificate. In your case, it could also happen if you are using an old version of Avast since Avast must contain a database of root certificates to check the chain of certificates. It is also possible that you accidentally deleted the file containing the database of root certificates. * The Web site you are trying to visit recently changed its domain name. The signed subscriber certificate was created for the old domain name. A new signed subscriber certificate is needed for the new domain name. Note that this can happen if the three Pirate Bay domains you cited are now merely aliases for sni34388.cloudflares1.com; the subscriber certificate must be for the actual domain and not its aliases. This is another instance of an idiot system administrator. Some browsers (e.g., SeaMonkey, Firefox) have the capability to override the detection of an invalid certificate. Perhaps Avast might have such a capability. However, this is a capability that should be used only with extreme caution. FYI, I've just sent this to a Facebook friend! = I'm now left wondering about Avast! though. The certificate here is provided by them! https://social.technet.microsoft.com/profile/BDonTJ Using Google Chrome and clicking on the padlock reveals this ........ Your connection to social.technet.microsoft.com is encrypted using an obsolete cipher suite. The connection uses TLS 1.2. = It's exactly the same here too! https://community.dynamics.com/members/bdontj (You might like to read at the link showing there!) = However, that is NOT the same as I see if I look under the padlock at Google.com. I see this ... Your connection to www.google.co.uk is encrypted using a modern cipher suite. The connection uses QUIC. The connection is encrypted and authenticated using CHACHA20_POLY1305 and uses ECDHE_RSA as the key exchange mechanism. = I'm afraid I'm on a 150 mile round trip to visit my sister today, but I'll remove Avast! this evening and see if things look different! Btw, I'm looking at all this using my Apple iMac and OS X El Capitan. The machine SHOULD be free from malware. wink emoticon -- David B. |
#5
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 11/15/2015 04:48 AM, Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"? http://i.imgur.com/mkL4pt2.jpg The page you try to access is using cloudfare (a proxy service used to mitigate DDoS attacks and even cache proxying if you are paying), as the page is using secure-http (https), it needs a certificate and as how certificates when browsing works like that the site you are going to has to have the same domain name as the certificate it provides, for example if you go to https://example.net then you should get a certificate for the domain example.net, if you instead of get a certificate for anothersite.example.org, then they don't match and you get a certificate error (in Firefox, SeaMonkey, Chrome and the two versions of MSIE you get to choose to go to the site or leave it). Your avat which intercepts your internet traffic notice the difference between the site you wanted to go to and the certificate you got and assumes that the site ain't the one you intended to go to and warns you as the certificate is for cloudflaressl.com as the person behind the copy of pirate bay hasn'ät bothered to upload the correct ssl certificates to cloudflare. Just keep in mind as your avast can see which https site you gone to and that you got another certificate, this means they have full potential to spy on what you are doing. How "critical" is this message? You can't be sure if you got to the site you wanted or just a copy which may give you a lot of spam-popups. I realize it means "something" is wrong with the certificate for the encryption of that web site. The encryption of the site is okey, just the certificate is for another site than the one you entered in the url-bar. I suggest you use a proper anti-advertisement program when you visit the pirate bay, so that you will not be diverted to some scam page or a drive-by-download sites which will infect you with viruses as no AV-application will give you a full protection, as there are many copies of the pirate buy which do nasty things when you click on links. -- //Aho |
#6
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
On 2015-11-15 07:06:23 +0000, David E. Ross said:
You should not be using Avast to check the validity of Web site certificates. Instead, you should use a browser that does it. I know that SeaMonkey and Firefox do it. I think Internet Explorer, Edge, Chrome, Safari, and Opera do it, too. snip Thanks, David, for this informative post. |
#7
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bayis "invalid"?
Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"? http://i.imgur.com/mkL4pt2.jpg So, I admit, I try to go to piratebay to search about stuff that is available for download. I'm not sure the difference, but it happens with these sites: thepiratebay.to thepiratebay.la thepiratebay.gd My av program won't let me get there. http://i.imgur.com/mkL4pt2.jpg It says: "the following certificate is invalid sni34388.cloudflares1.com Huh? What is cloudflares1? I didn't go there, did I? I guess the certificate "is" for cloudflares1, but, what does that mean, to me? It's a dodgy site to begin with anyway, so, should I expect this? Or is this abnormal? How do I INTERPRET what the problem is? Is it severe enough to turn off the av checks? Is it an innocuous message? How "critical" is this message? I realize it means "something" is wrong with the certificate for the encryption of that web site. But it's a dodgy web site to start with, isn't it? So, should I be worried if I were to turn off my av program? Why? According to this... https://en.wikipedia.org/wiki/Thepiratebay thepiratebay.se On 5 May 2015, The Pirate Bay went offline for several hours, apparently as a result of not properly configuring its SSL certificate 19 May 2015. "Pirate Bay move to gs, la, vg, am, mn and gd domains https://torrentfreak.com/pirate-bay-...n-name-150715/ July 15, 2015 .GS domain went offline after an intervention from the associated registry ThePirateBay.AM on hold The Pirate Bay is currently accessible via the LA, VG, MN and GD domain names. The original .SE domain is still operational as well, pending an appeal, and redirects users to one of the new domain names. So the .to domain isn't in that list. Maybe until the .SE domain is taken again, the redirect will point to a valid one. Paul |
#8
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
On Sun, 15 Nov 2015 01:37:55 -0500, Paul wrote:
Avast had some sort of problem like this a year ago. Avast apparently inserts its own certificate, but where, or for what reason, who knows. We discussed that here. Avast 2015 does that by design, and it's a not just annoying, huge security leak. It was enough to cause me to uninstall the 2015 version and go back to version 2014. (On my new laptop, I'm not even using Avast.) http://www.lonecpluspluscoder.com/20...-scanner-uses- a-self-issued-trusted-root-certificate/ http://security.stackexchange.com/qu...5/avast-https- scanning http://www.pcworld.com/article/20495...er-extensions- pose-a-serious-threat-and-defenses-are-lacking.html Choice quote from the latter: "Chromium, along with Internet Explorer, uses the system-wide proxy settings and certificate store, so an attacker could exploit this to pass all traffic from the Avast SafeZone or Bitdefender Safepay browsers though a proxy server he controls and perform man-in-the- middle interception using the new root CA certificate added to the system." -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#9
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:
In your case, it could also happen if you are using an old version of Avast since Avast must contain a database of root certificates to check the chain of certificates. Are you sure about that? My understanding is that the certificates are in a common location on the PC for use by all programs. 1. Start*» Run*» MMC. 2. File*» Add/Remove Snap-in*» Certificates*» Add. Select Computer Account on the next screen, then Local Computer on the one after that. Click Finish and then OK. 3. Double-click Certificates in the left-hand panel. http://www.lonecpluspluscoder.com/20...-scanner-uses- a-self-issued-trusted-root-certificate/ says "Avast! installs a Trusted Root certificate into the Windows certificate store", and shows a screen shot. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#10
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 11/15/2015 6:34 AM, Stan Brown wrote:
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote: In your case, it could also happen if you are using an old version of Avast since Avast must contain a database of root certificates to check the chain of certificates. Are you sure about that? My understanding is that the certificates are in a common location on the PC for use by all programs. 1. Start » Run » MMC. 2. File » Add/Remove Snap-in » Certificates » Add. Select Computer Account on the next screen, then Local Computer on the one after that. Click Finish and then OK. 3. Double-click Certificates in the left-hand panel. http://www.lonecpluspluscoder.com/20...-scanner-uses- a-self-issued-trusted-root-certificate/ says "Avast! installs a Trusted Root certificate into the Windows certificate store", and shows a screen shot. I use SeaMonkey as my browser; for this situation, I am very sure that Firefox operates the same way. SeaMonkey has a file that contains a root certificate database. It does NOT use any Windows certificate store. This is because Mozilla does its own vetting of certification authorities. Before Mozilla adds a new root certificate to its database, the owner of that root must supply Mozilla with certain documentation, including not only its policies and procedures documents but also a third-party audit statement that the certification authority actually follows those policies and procedures. Mozilla staff test to make sure the root certificate conforms to certain standards. Finally, the request to add the root certificate -- including all the supplied documentation and the certificate itself -- is subjected to public scrutiny for a period of time (usually at least two weeks) even though all of the prior steps in vetting the root certificate have been done in view of the interested public. Occasionally, Microsoft makes a mistake. After all, do we not see monthly patches to security vulnerabilities in Windows? Mozilla might also make a mistake. Since I know the process used by Mozilla, however, I have more faith in the Mozilla root certificate store than I have in a store vetted behind closed doors. -- David E. Ross Pharmaceutical companies claim their drug prices are so high because they have to recover the costs of developing those drugs. Two questions: 1. Why is the U.S. paying the entire cost of development while prices for the same drugs in other nations are much lower? 2. Manufacturers of generic drugs did not have those development costs. Why are they charging so much for generics? |
#11
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On Sun, 15 Nov 2015 01:37:55 -0500, Paul wrote:
Since Avast flagged it, and not the browser, I would have to assume it's an Avast problem of some sort. That is an interesting observation that had not occurred to me. I used Firefox 42 as the browser. So, you're right. Firefox didn't flag it. Avast did. But why? |
#12
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:
You should not be using Avast to check the validity of Web site certificates. Instead, you should use a browser that does it. I'm using Firefox 42. I had not realized that Avast was checking certificates, and not Firefox. So, should I just allow this to go through? I'm still unsure of "what" the threat is. |
#13
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On Sun, 15 Nov 2015 10:44:51 +0100, J.O. Aho wrote:
Your avat which intercepts your internet traffic notice the difference between the site you wanted to go to and the certificate you got and assumes that the site ain't the one you intended to go to and warns you as the certificate is for cloudflaressl.com as the person behind the copy of pirate bay hasn'ät bothered to upload the correct ssl certificates to cloudflare. OK. That is the first explanation that I *understood*. 1. I went to piratebay.whatever with Firefox 42. 2. Firefox and Avast both expected a certificate for "piratebay.whatever". 3. What came back was a certificate for cloudflares instead. 4. So Avast barfed on it. 5. Presumably, had I not used Avast, Firefox would have also barfed. Now the $64 question.... Is it safe (so to speak) to go there? I'm not expecting perfect safety (this isn't a banking site). But, is it *really* the piratebay that I'm going to or not? |
#14
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 2015-11-16, Kirk Jutland wrote:
Is it safe (so to speak) to go there? was it ever? I'm not expecting perfect safety (this isn't a banking site). But, is it *really* the piratebay that I'm going to or not? dunno, if you don't want to use firefox download the page with wget and look at it in a text editor. parhaps piratebay has been taken down. -- \_(ツ)_ |
#15
|
|||
|
|||
What does it mean (to me) when a "certificate" to pirate bay is"invalid"?
On 11/15/2015 11:01 PM, Kirk Jutland wrote:
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote: You should not be using Avast to check the validity of Web site certificates. Instead, you should use a browser that does it. I'm using Firefox 42. I had not realized that Avast was checking certificates, and not Firefox. So, should I just allow this to go through? I'm still unsure of "what" the threat is. You should see if Avast has an option not to check certificates since Firefox does a good job of that. -- David E. Ross Pharmaceutical companies claim their drug prices are so high because they have to recover the costs of developing those drugs. Two questions: 1. Why is the U.S. paying the entire cost of development while prices for the same drugs in other nations are much lower? 2. Manufacturers of generic drugs did not have those development costs. Why are they charging so much for generics? |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|