Chrome reporting site certificate as invalid

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

It can take some time to get a new server cert. Depending on what's specified, you might need to wait for the CA to have a "key party," where several individuals gather periodically (weekly is common) to provide the signing key fragments that are assembled into the CA's signing key for the certificates to be issued. In a locked room. That only one person can enter at a time. Where the only thing a key fragment holder can see is a data entry field for her part of the key. &c.
Seems a bit over the top for a message board to me...

Kind of crappy for browsers to arbitrarily declare well known CA's as black sheep and tell users about it. I would be surprised if there wasn't a lawsuit already involved.
 
I don't think it's our hosting company since it's AWS (Amazon Web Services)

afaik we're in process on getting a new C..A.

til then Firefox is still working for me. Or I guess Edge....

When there's an update the Chairman will post it here.
I love SB but not enough to use edge...

If you get the error, you can just click the button to ignore the error. It smacks of political stunt by browser manufacturers to me. It's not like they've blacklisted "joes used digital certificates and toothbrushes".
For what it's worth, a consortium of browser manufacturers has blocked the following certificate authorities.

Symantec, GeoTrust, RapidSSL, Thawte, and VeriSign

Of course, verisign is only the biggest root ca in the world.. no harm though, right?

As a website owner your only options are 1. lose traffic from chrome and ff users or 2. buy a cert from some other company and hope the eventual lawsuit takes care of it (if you even care after paying for a second cert).

Here are the details: Distrust of Symantec TLS Certificates


It's part of a long running feud between Google and Symantec. Google has apparently successfully recruited mozilla (maybe others?) to join them. Google is fighting with Symantec over encrypting the internet

Google's published details make it sound on the surface like their motives are altruistic....until you realize that Google owns a CA that competes with Symantec (and the others). Guess what? Google Internet Authority G2 isn't blocked anywhere :wink:. Oh, and as if Google has never been hacked. No business that has an internet connection has never been hacked - unless you just haven't been noticed (yet).

Children of unwed mothers, Google.

What it boils down to is that default permissions for sites who have paid someone "trusted" by google or mozilla for a certificate are more lenient than for sites who have not. This is because all a certificate does is (supposedly) identify one end of a connection. Your browser then decides to negotiate a secure connection (or not). It's entirely possible to use SSL or TLS with your own cert, or no cert at all.

This is an effort to crush their largest competitor in the certificate sales space - nothing more.

/rant.

sorry
 
Nice rant. :wink: .
 
I'm using a MacBook Pro (which I hate, BTW - and it seems like this is one reason why).

If this were Windows, I believe I could just select the GeoTrust root cert and add it to my Trusted CA certs on my local machine and this error would go away. Or something like that.

I can't find any way to do the equivalent thing on MacOS. Does anybody know if there is a way? I checked in the Keychain Access app and the GeoTrust Global CA is already there. I guess the issue is that Chrome is making its own decision about what CAs to trust? Is there really no way to manually change what CAs Chrome trusts?
 
What's odd is that I started getting the message today with Chrome on one of my desktops, but still works in Chrome on the desktop I'm on now as well as on my Android phone. Still works in Firefox on both.

Check out Max's link, the Chrome team is doing this as a gradual rollout over a few weeks.
 
I'm using a MacBook Pro (which I hate, BTW - and it seems like this is one reason why).

If this were Windows, I believe I could just select the GeoTrust root cert and add it to my Trusted CA certs on my local machine and this error would go away. Or something like that.

I can't find any way to do the equivalent thing on MacOS. Does anybody know if there is a way? I checked in the Keychain Access app and the GeoTrust Global CA is already there. I guess the issue is that Chrome is making its own decision about what CAs to trust? Is there really no way to manually change what CAs Chrome trusts?
No. They've actually got something coded into the browsers to brow-beat users on the issue. You can probably go into about:config in firefox and turn that "feature" off. Maybe. It's very much like what was done with Flash - and why I used a fork of firefox called Waterfox for several years (which still supports flash).

The only reason I'm aware of this issue that I ranted about is because I clicked on the "details" link firefox provided when I visited scubaboard.com. Then I did a lot of reading. If you click that link, Firefox (mozilla) will tell you all about it from their perspective.
 
Seems a bit over the top for a message board to me...

Kind of crappy for browsers to arbitrarily declare well known CA's as black sheep and tell users about it. I would be surprised if there wasn't a lawsuit already involved.

This should have surprised NO website operator, since they started warning people some time ago (like a year or more). The reason they are doing it is not arbitrary, or capricious. It does force people to get new SSL certs, but in many or most cases they would need new ones anyway, because they expire. They just have to get them from a CA that follows the industry practices for vetting website owners.

It's unfortunate that a company that apparently acquired a number of moderately pervasive CAs seems not to have followed accepted practices, causing a large number of certificates to become untrusted, and the browser owners, as far as I know, have no dog in the "who sells SSL certs" fight.* But, I'll admit that I have not followed the money to be able to assert that last point. In the meantime, the browser owners are doing what they are doing, and the provided plenty of notice, but it's always the case with stuff like this that "someone or another" doesn't get the message (shrug).

The whole key security thing is essential to being able to trust someone who asserts (via an SSL server cert) that they are who they say they are. A remarkable number of creative hacks are possible on malicious websites. It's not merely the content of SB you should worry about, but the content and security of your own computer. If you do online banking on the same computer you use for SB, for example, you should be *glad* that this level of security exists and is being used for SB.

*Edit: One of the major emerging players here is DigiCert, which is privately held.
 
upload_2018-11-15_16-6-45.png
As you can see, the root certs are still installed by default. They just aren't allowed to function.

the browser owners, as far as I know, have no dog in the "who sells SSL certs" fight
Google owns a root CA that is not included in the ban. The CA is called Google Internet Authority G2 and their website is Google Internet Authority G2 – Google .
Mozilla does not own their own ca. However, nearly 100% of the Mozilla foundation's funding comes from (wait for it) Google! Evidence: So Why Is Google Funding Its Own Competition In The Firefox OS?

I don't believe in coincidences like that.
 
That is my beef. That the root certs in my key chain are not being allowed to function.

It's my computer. If I want to trust GeoTrust, who is effing Google to tell me I can't?!? They're just providing me a browser. The browser should respect my machine's settings for trusted certs.

If Apple wanted to issue an OS update to remove certain trusted root certs, then that is something I might consider reasonable. But, for Google to take it upon themselves to make their browser ignore my system settings for trusted root certs is, well, I basically agree with @kelemvor. This is self-serving BS.
 
View attachment 489291
As you can see, the root certs are still installed by default. They just aren't allowed to function.


Google owns a root CA that is not included in the ban. The CA is called Google Internet Authority G2 and their website is Google Internet Authority G2 – Google .
Mozilla does not own their own ca. However, nearly 100% of the Mozilla foundation's funding comes from (wait for it) Google! Evidence: So Why Is Google Funding Its Own Competition In The Firefox OS?

I don't believe in coincidences like that.

I understand how the trust store works, thanks. On the rest, we will have to agree to disagree. And, I am happy the browser owners are doing what they are doing. A chain of trust should be, well, trustworthy.
 
https://www.shearwater.com/products/swift/

Back
Top Bottom