What does it mean (to me) when a "certificate" to pirate bay is "invalid"?

What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

So, I admit, I try to go to piratebay to search about stuff that is
available for download.

I'm not sure the difference, but it happens with these sites:
thepiratebay.to
thepiratebay.la
thepiratebay.gd

My av program won't let me get there.
http://i.imgur.com/mkL4pt2.jpg

It says: "the following certificate is invalid sni34388.cloudflares1.com
Huh? What is cloudflares1?
I didn't go there, did I?
I guess the certificate "is" for cloudflares1, but, what does that mean, to
me?
It's a dodgy site to begin with anyway, so, should I expect this?
Or is this abnormal?

How do I INTERPRET what the problem is?
Is it severe enough to turn off the av checks?
Is it an innocuous message?

How "critical" is this message?

I realize it means "something" is wrong with the certificate for the
encryption of that web site. But it's a dodgy web site to start with, isn't
it? So, should I be worried if I were to turn off my av program?

Why?

Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

So, I admit, I try to go to piratebay to search about stuff that is
available for download.

I'm not sure the difference, but it happens with these sites:
thepiratebay.to
thepiratebay.la
thepiratebay.gd

My av program won't let me get there.
http://i.imgur.com/mkL4pt2.jpg

It says: "the following certificate is invalid sni34388.cloudflares1.com
Huh? What is cloudflares1?
I didn't go there, did I?
I guess the certificate "is" for cloudflares1, but, what does that mean, to
me?
It's a dodgy site to begin with anyway, so, should I expect this?
Or is this abnormal?

How do I INTERPRET what the problem is?
Is it severe enough to turn off the av checks?
Is it an innocuous message?

How "critical" is this message?

I realize it means "something" is wrong with the certificate for the
encryption of that web site. But it's a dodgy web site to start with, isn't
it? So, should I be worried if I were to turn off my av program?

Why?

Full disclosure - I know absolutely nothing about certificate
architecture, how it's checked or revoked...
I'm just following cookie crumbs here.

Since Avast flagged it, and not the browser, I
would have to assume it's an Avast problem of some sort.

https://www.ssllabs.com/ssltest/

https://www.ssllabs.com/ssltest/anal...=104.18.58.159

Issuer COMODO ECC Domain Validation Secure Server CA 2
Revocation status Good (not revoked)
Trusted Yes

The SNI in the name of your certificate link, suggests
it is one of these.

https://en.wikipedia.org/wiki/Server_Name_Indication

Avast had some sort of problem like this a year ago.
Avast apparently inserts its own certificate, but
where, or for what reason, who knows. Maybe it does
that, in the same way as the ssltest example above.

https://forum.avast.com/index.php?topic=161516.0

I don't know how an ordinary user is supposed to figure
this stuff out. You could easily shoot yourself
in the foot, depending on what you do next...

Paul

On 11/14/2015 7:48 PM, Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

So, I admit, I try to go to piratebay to search about stuff that is
available for download.

I'm not sure the difference, but it happens with these sites:
thepiratebay.to
thepiratebay.la
thepiratebay.gd

My av program won't let me get there.
http://i.imgur.com/mkL4pt2.jpg

It says: "the following certificate is invalid sni34388.cloudflares1.com
Huh? What is cloudflares1?
I didn't go there, did I?
I guess the certificate "is" for cloudflares1, but, what does that mean, to
me?
It's a dodgy site to begin with anyway, so, should I expect this?
Or is this abnormal?

How do I INTERPRET what the problem is?
Is it severe enough to turn off the av checks?
Is it an innocuous message?

How "critical" is this message?

I realize it means "something" is wrong with the certificate for the
encryption of that web site. But it's a dodgy web site to start with, isn't
it? So, should I be worried if I were to turn off my av program?

Why?


You should not be using Avast to check the validity of Web site
certificates. Instead, you should use a browser that does it. I know
that SeaMonkey and Firefox do it. I think Internet Explorer, Edge,
Chrome, Safari, and Opera do it, too.

When I see a message about an invalid certificate, it means I was trying
to view a secure Web site (e.g., my bank) that has a problem with
establishing a secure Internet connection with my browser. When I go to
my bank's Web site, the Web server indicates that the site has a
subscriber certificate that was digitally signed by some intermediate
certificate. The server supplies my browser with public parts of both
the subscriber and intermediate certificates. The intermediate
certificate is supposed to be digitally signed by a root certificate
that is contained in a database that is part of my browser. That is,
the root certificate is on my computer. If this chain of certificates
is complete -- if the signature on the subscriber certificate can indeed
be traced to the intermediate certificate and if the signature on the
intermediate certificate can indeed be traced to the root certificate --
a secure connection can then be established between my browser and the
Web server.

There are several reasons why the chain of certificates breaks down,
leaving you with a message about an invalid certificate. Messages about
invalid certificates usually indicate why the certificate is invalid.
Among the reasons a

* All certificates -- subscriber, intermediate, and root -- have
expiration dates. Either a certificate has actually expired and needs
to be replaced; or else your computer's clock is wrong, causing your
computer to act as if a certificate has expired.

* The system administrator for the Web server is an idiot and should
not be trusted to be involved with secure Web browsing. This is
evidenced by his or her failure to install the intermediate certificate
on the server. Do not laugh; this is a very common problem.

* Your browser's certificate database does not contain the required
root certificate. This might happen if you are using an old browser,
older than the root certificate. In your case, it could also happen if
you are using an old version of Avast since Avast must contain a
database of root certificates to check the chain of certificates. It is
also possible that you accidentally deleted the file containing the
database of root certificates.

* The Web site you are trying to visit recently changed its domain
name. The signed subscriber certificate was created for the old domain
name. A new signed subscriber certificate is needed for the new domain
name. Note that this can happen if the three Pirate Bay domains you
cited are now merely aliases for sni34388.cloudflares1.com; the
subscriber certificate must be for the actual domain and not its
aliases. This is another instance of an idiot system administrator.

Some browsers (e.g., SeaMonkey, Firefox) have the capability to override
the detection of an invalid certificate. Perhaps Avast might have such
a capability. However, this is a capability that should be used only
with extreme caution.

--
David E. Ross

Pharmaceutical companies claim their drug prices are
so high because they have to recover the costs of developing
those drugs. Two questions:

1. Why is the U.S. paying the entire cost of development while
prices for the same drugs in other nations are much lower?

2. Manufacturers of generic drugs did not have those
development costs. Why are they charging so much for generics?

On 15/11/2015 07:06, David E. Ross wrote:
On 11/14/2015 7:48 PM, Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

So, I admit, I try to go to piratebay to search about stuff that is
available for download.

I'm not sure the difference, but it happens with these sites:
thepiratebay.to
thepiratebay.la
thepiratebay.gd

My av program won't let me get there.
http://i.imgur.com/mkL4pt2.jpg

It says: "the following certificate is invalid sni34388.cloudflares1.com
Huh? What is cloudflares1?
I didn't go there, did I?
I guess the certificate "is" for cloudflares1, but, what does that mean, to
me?
It's a dodgy site to begin with anyway, so, should I expect this?
Or is this abnormal?

How do I INTERPRET what the problem is?
Is it severe enough to turn off the av checks?
Is it an innocuous message?

How "critical" is this message?

I realize it means "something" is wrong with the certificate for the
encryption of that web site. But it's a dodgy web site to start with, isn't
it? So, should I be worried if I were to turn off my av program?

Why?


You should not be using Avast to check the validity of Web site
certificates. Instead, you should use a browser that does it. I know
that SeaMonkey and Firefox do it. I think Internet Explorer, Edge,
Chrome, Safari, and Opera do it, too.

When I see a message about an invalid certificate, it means I was trying
to view a secure Web site (e.g., my bank) that has a problem with
establishing a secure Internet connection with my browser. When I go to
my bank's Web site, the Web server indicates that the site has a
subscriber certificate that was digitally signed by some intermediate
certificate. The server supplies my browser with public parts of both
the subscriber and intermediate certificates. The intermediate
certificate is supposed to be digitally signed by a root certificate
that is contained in a database that is part of my browser. That is,
the root certificate is on my computer. If this chain of certificates
is complete -- if the signature on the subscriber certificate can indeed
be traced to the intermediate certificate and if the signature on the
intermediate certificate can indeed be traced to the root certificate --
a secure connection can then be established between my browser and the
Web server.

There are several reasons why the chain of certificates breaks down,
leaving you with a message about an invalid certificate. Messages about
invalid certificates usually indicate why the certificate is invalid.
Among the reasons a

* All certificates -- subscriber, intermediate, and root -- have
expiration dates. Either a certificate has actually expired and needs
to be replaced; or else your computer's clock is wrong, causing your
computer to act as if a certificate has expired.

* The system administrator for the Web server is an idiot and should
not be trusted to be involved with secure Web browsing. This is
evidenced by his or her failure to install the intermediate certificate
on the server. Do not laugh; this is a very common problem.

* Your browser's certificate database does not contain the required
root certificate. This might happen if you are using an old browser,
older than the root certificate. In your case, it could also happen if
you are using an old version of Avast since Avast must contain a
database of root certificates to check the chain of certificates. It is
also possible that you accidentally deleted the file containing the
database of root certificates.

* The Web site you are trying to visit recently changed its domain
name. The signed subscriber certificate was created for the old domain
name. A new signed subscriber certificate is needed for the new domain
name. Note that this can happen if the three Pirate Bay domains you
cited are now merely aliases for sni34388.cloudflares1.com; the
subscriber certificate must be for the actual domain and not its
aliases. This is another instance of an idiot system administrator.

Some browsers (e.g., SeaMonkey, Firefox) have the capability to override
the detection of an invalid certificate. Perhaps Avast might have such
a capability. However, this is a capability that should be used only
with extreme caution.


FYI, I've just sent this to a Facebook friend!

=

I'm now left wondering about Avast! though. The certificate here is
provided by them!

https://social.technet.microsoft.com/profile/BDonTJ

Using Google Chrome and clicking on the padlock reveals this ........

Your connection to social.technet.microsoft.com is encrypted using an
obsolete cipher suite.

The connection uses TLS 1.2.

=

It's exactly the same here too!

https://community.dynamics.com/members/bdontj

(You might like to read at the link showing there!)

=

However, that is NOT the same as I see if I look under the padlock at
Google.com. I see this ...

Your connection to www.google.co.uk is encrypted using a modern cipher
suite.

The connection uses QUIC.

The connection is encrypted and authenticated using CHACHA20_POLY1305
and uses ECDHE_RSA as the key exchange mechanism.

=

I'm afraid I'm on a 150 mile round trip to visit my sister today, but
I'll remove Avast! this evening and see if things look different! Btw,
I'm looking at all this using my Apple iMac and OS X El Capitan. The
machine SHOULD be free from malware. wink emoticon

--
David B.

On 11/15/2015 04:48 AM, Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

The page you try to access is using cloudfare (a proxy service used to
mitigate DDoS attacks and even cache proxying if you are paying), as the
page is using secure-http (https), it needs a certificate and as how
certificates when browsing works like that the site you are going to has
to have the same domain name as the certificate it provides, for example
if you go to https://example.net then you should get a certificate for
the domain example.net, if you instead of get a certificate for
anothersite.example.org, then they don't match and you get a certificate
error (in Firefox, SeaMonkey, Chrome and the two versions of MSIE you
get to choose to go to the site or leave it).

Your avat which intercepts your internet traffic notice the difference
between the site you wanted to go to and the certificate you got and
assumes that the site ain't the one you intended to go to and warns you
as the certificate is for cloudflaressl.com as the person behind the
copy of pirate bay hasn'ät bothered to upload the correct ssl
certificates to cloudflare.

Just keep in mind as your avast can see which https site you gone to and
that you got another certificate, this means they have full potential to
spy on what you are doing.


How "critical" is this message?

You can't be sure if you got to the site you wanted or just a copy which
may give you a lot of spam-popups.


I realize it means "something" is wrong with the certificate for the
encryption of that web site.

The encryption of the site is okey, just the certificate is for another
site than the one you entered in the url-bar.

I suggest you use a proper anti-advertisement program when you visit the
pirate bay, so that you will not be diverted to some scam page or a
drive-by-download sites which will infect you with viruses as no
AV-application will give you a full protection, as there are many copies
of the pirate buy which do nasty things when you click on links.


--

//Aho

On 2015-11-15 07:06:23 +0000, David E. Ross said:

You should not be using Avast to check the validity of Web site
certificates. Instead, you should use a browser that does it. I know
that SeaMonkey and Firefox do it. I think Internet Explorer, Edge,
Chrome, Safari, and Opera do it, too.

snip

Thanks, David, for this informative post.

Kirk Jutland wrote:
What does it mean (to me) when a "certificate" to pirate bay is "invalid"?
http://i.imgur.com/mkL4pt2.jpg

So, I admit, I try to go to piratebay to search about stuff that is
available for download.

I'm not sure the difference, but it happens with these sites:
thepiratebay.to
thepiratebay.la
thepiratebay.gd

My av program won't let me get there.
http://i.imgur.com/mkL4pt2.jpg

It says: "the following certificate is invalid sni34388.cloudflares1.com
Huh? What is cloudflares1?
I didn't go there, did I?
I guess the certificate "is" for cloudflares1, but, what does that mean, to
me?
It's a dodgy site to begin with anyway, so, should I expect this?
Or is this abnormal?

How do I INTERPRET what the problem is?
Is it severe enough to turn off the av checks?
Is it an innocuous message?

How "critical" is this message?

I realize it means "something" is wrong with the certificate for the
encryption of that web site. But it's a dodgy web site to start with, isn't
it? So, should I be worried if I were to turn off my av program?

Why?

According to this...

https://en.wikipedia.org/wiki/Thepiratebay

thepiratebay.se

On 5 May 2015, The Pirate Bay went offline for several hours,
apparently as a result of not properly configuring its SSL certificate

19 May 2015. "Pirate Bay move to gs, la, vg, am, mn and gd domains

https://torrentfreak.com/pirate-bay-...n-name-150715/

July 15, 2015

.GS domain went offline after an intervention from the associated registry
ThePirateBay.AM on hold

The Pirate Bay is currently accessible via the LA, VG, MN and GD domain names.
The original .SE domain is still operational as well, pending an appeal,
and redirects users to one of the new domain names.

So the .to domain isn't in that list.

Maybe until the .SE domain is taken again, the redirect will
point to a valid one.

Paul

On Sun, 15 Nov 2015 01:37:55 -0500, Paul wrote:
Avast had some sort of problem like this a year ago.
Avast apparently inserts its own certificate, but
where, or for what reason, who knows.


We discussed that here. Avast 2015 does that by design, and it's a
not just annoying, huge security leak. It was enough to cause me to
uninstall the 2015 version and go back to version 2014. (On my new
laptop, I'm not even using Avast.)

http://www.lonecpluspluscoder.com/20...-scanner-uses-
a-self-issued-trusted-root-certificate/

http://security.stackexchange.com/qu...5/avast-https-
scanning

http://www.pcworld.com/article/20495...er-extensions-
pose-a-serious-threat-and-defenses-are-lacking.html

Choice quote from the latter:

"Chromium, along with Internet Explorer, uses the system-wide proxy
settings and certificate store, so an attacker could exploit this to
pass all traffic from the Avast SafeZone or Bitdefender Safepay
browsers though a proxy server he controls and perform man-in-the-
middle interception using the new root CA certificate added to the
system."

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:
In your case, it could also happen if
you are using an old version of Avast since Avast must contain a
database of root certificates to check the chain of certificates.


Are you sure about that? My understanding is that the certificates
are in a common location on the PC for use by all programs.

1. Start*» Run*» MMC.
2. File*» Add/Remove Snap-in*» Certificates*» Add. Select Computer
Account on the next screen, then Local Computer on the one after
that. Click Finish and then OK.
3. Double-click Certificates in the left-hand panel.

http://www.lonecpluspluscoder.com/20...-scanner-uses-
a-self-issued-trusted-root-certificate/

says "Avast! installs a Trusted Root certificate into the Windows
certificate store", and shows a screen shot.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On 11/15/2015 6:34 AM, Stan Brown wrote:
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:
In your case, it could also happen if
you are using an old version of Avast since Avast must contain a
database of root certificates to check the chain of certificates.


Are you sure about that? My understanding is that the certificates
are in a common location on the PC for use by all programs.

1. Start » Run » MMC.
2. File » Add/Remove Snap-in » Certificates » Add. Select Computer
Account on the next screen, then Local Computer on the one after
that. Click Finish and then OK.
3. Double-click Certificates in the left-hand panel.

http://www.lonecpluspluscoder.com/20...-scanner-uses-
a-self-issued-trusted-root-certificate/

says "Avast! installs a Trusted Root certificate into the Windows
certificate store", and shows a screen shot.


I use SeaMonkey as my browser; for this situation, I am very sure that
Firefox operates the same way. SeaMonkey has a file that contains a
root certificate database. It does NOT use any Windows certificate
store. This is because Mozilla does its own vetting of certification
authorities.

Before Mozilla adds a new root certificate to its database, the owner of
that root must supply Mozilla with certain documentation, including not
only its policies and procedures documents but also a third-party audit
statement that the certification authority actually follows those
policies and procedures. Mozilla staff test to make sure the root
certificate conforms to certain standards. Finally, the request to add
the root certificate -- including all the supplied documentation and the
certificate itself -- is subjected to public scrutiny for a period of
time (usually at least two weeks) even though all of the prior steps in
vetting the root certificate have been done in view of the interested
public.

Occasionally, Microsoft makes a mistake. After all, do we not see
monthly patches to security vulnerabilities in Windows? Mozilla might
also make a mistake. Since I know the process used by Mozilla, however,
I have more faith in the Mozilla root certificate store than I have in a
store vetted behind closed doors.

--
David E. Ross

Pharmaceutical companies claim their drug prices are
so high because they have to recover the costs of developing
those drugs. Two questions:

1. Why is the U.S. paying the entire cost of development while
prices for the same drugs in other nations are much lower?

2. Manufacturers of generic drugs did not have those
development costs. Why are they charging so much for generics?

On Sun, 15 Nov 2015 01:37:55 -0500, Paul wrote:

Since Avast flagged it, and not the browser, I
would have to assume it's an Avast problem of some sort.

That is an interesting observation that had not occurred to me.
I used Firefox 42 as the browser.
So, you're right. Firefox didn't flag it.
Avast did.

But why?

On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:

You should not be using Avast to check the validity of Web site
certificates. Instead, you should use a browser that does it.

I'm using Firefox 42.

I had not realized that Avast was checking certificates, and not
Firefox.

So, should I just allow this to go through?
I'm still unsure of "what" the threat is.

On Sun, 15 Nov 2015 10:44:51 +0100, J.O. Aho wrote:

Your avat which intercepts your internet traffic notice the difference
between the site you wanted to go to and the certificate you got and
assumes that the site ain't the one you intended to go to and warns you
as the certificate is for cloudflaressl.com as the person behind the
copy of pirate bay hasn'ät bothered to upload the correct ssl
certificates to cloudflare.

OK. That is the first explanation that I *understood*.

1. I went to piratebay.whatever with Firefox 42.
2. Firefox and Avast both expected a certificate for "piratebay.whatever".
3. What came back was a certificate for cloudflares instead.
4. So Avast barfed on it.
5. Presumably, had I not used Avast, Firefox would have also barfed.

Now the $64 question....

Is it safe (so to speak) to go there?
I'm not expecting perfect safety (this isn't a banking site).

But, is it *really* the piratebay that I'm going to or not?

On 2015-11-16, Kirk Jutland wrote:

Is it safe (so to speak) to go there?

was it ever?

I'm not expecting perfect safety (this isn't a banking site).

But, is it *really* the piratebay that I'm going to or not?

dunno, if you don't want to use firefox download the page with
wget and look at it in a text editor. parhaps piratebay has been
taken down.

--
\_(ツ)_

On 11/15/2015 11:01 PM, Kirk Jutland wrote:
On Sat, 14 Nov 2015 23:06:23 -0800, David E. Ross wrote:

You should not be using Avast to check the validity of Web site
certificates. Instead, you should use a browser that does it.

I'm using Firefox 42.

I had not realized that Avast was checking certificates, and not
Firefox.

So, should I just allow this to go through?
I'm still unsure of "what" the threat is.


You should see if Avast has an option not to check certificates since
Firefox does a good job of that.

--
David E. Ross

Pharmaceutical companies claim their drug prices are
so high because they have to recover the costs of developing
those drugs. Two questions:

1. Why is the U.S. paying the entire cost of development while
prices for the same drugs in other nations are much lower?

2. Manufacturers of generic drugs did not have those
development costs. Why are they charging so much for generics?