Message boards :
Cafe SETI :
berkeley.edu now https ?
Message board moderation
Author | Message |
---|---|
Dirk Sadowski Send message Joined: 6 Apr 07 Posts: 7105 Credit: 147,663,825 RAC: 5 |
Before I could log in, my brower Firefox said, he don't trust the setiathome.berkeley.edu site. I accepted one time the certificate and so I came to a berkeley.edu secure site (https). After I inserted ID and PIN the s disappeared and I saw my account. It's the same now like it's at SAH Beta since long time? Or someone did bad things and hacked something? * Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. * |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
It's not Berkeley that is handling the https, rather the setiathome sub-domain. Also, as far as I can remember, https was always required for logging into the site. Once you log into the site, it uses a cookie to remember your login. So if you switch browsers or clear your cookies, you will have to go back through the https login. As far as Firefox not trusting the site, that's typical of any self-signed certificate as opposed to one purchased from a third-party certificate authority (CA). Web browser can only verify authenticity if the site uses a third-party CA. |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours. It was not due to a hacking, but due to a CSS fix being put in place that, if I understand correctly, required https. A very astute observation on your behalf. |
arkayn Send message Joined: 14 May 99 Posts: 4438 Credit: 55,006,323 RAC: 0 |
It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours. Looks like it will only affect me once I have to login again as I am still using the forums without the secure connection. |
Wiggo Send message Joined: 24 Jan 00 Posts: 36094 Credit: 261,360,520 RAC: 489 |
The same here (possibly you have to either sign out or clear cookies for this to happen). Cheers. |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours. It only affects logging in. The rest of the forums run on regular http. |
Lynn Send message Joined: 20 Nov 00 Posts: 14162 Credit: 79,603,650 RAC: 123 |
Found this in Questions and Answers : Web site http://setiathome.berkeley.edu/forum_thread.php?id=73279 Questions and Answers : Web site : warning message: "This Connection is Untrusted" Hope it helps. |
BigDaddyDave Send message Joined: 8 Oct 00 Posts: 67 Credit: 20,337,995 RAC: 15 |
I received the same message as well. Good to see that we are already talking about it. I'll ignore the Firefox notice. Thank you, Get Crunchin'! BDDave |
Dirk Sadowski Send message Joined: 6 Apr 07 Posts: 7105 Credit: 147,663,825 RAC: 5 |
I use an old Firefox, and if I log in into my account at setiathome.berkeley.edu, I get the warning. Also as I made at Nov/21 my yearly donation at givetocal.berkeley.edu, I got the same warning. I sent a message to the admins about this. But, it's because of my very old version of Firefox? AFAIK, the newest Firefox is v25. With this version you get also this warning? And the Internet Explorer user (which version?), they see also a warning? * Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. * |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
I opened up givetocal.berkeley.edu in my Chrome v31 browser, then proceeded to look up SETI@home when I finally hit an https page. I clicked on the lock icon in my browser and saw that it was signed and verified. I received no warning. I did the same in Internet Explorer 11 and also received no warnings. I then opened up givetocal.berkeley.edu and performed the same steps in Firefox v25.0.1, and by the time I hit the https pages, I ddi receive a "scary" warning that "This Connection is Untrusted". I then clicked on "technical details" and it said that the "certificate was not trusted because no issuer chain was provided." Performing a Google search on that last phrase brought up many hits with website owners complaining about Firefox being the only one that has this problem. According to http://www.sslshopper.com/ssl-checker.html#hostname=https://givetocal.berkeley.edu, the owner of the sub-domain "givetocal.berkeley.edu" needs to install an intermediate/chain certificate to link it to a trusted root certificate. An intermedidate/chain certificate would be missing if the domain owner is using self-signed certificates and they are not using a well-known Certificate Authority. The problem with using a trusted root certificate, such as the ones provided by VeriSign, is that they can cost upwards of $500+ per year, and using trusted root certificates actually has known flaws in the chain (such as "man in the middle" attacks). Not to mention that only the most popular trusted root Certificate Authorities are included in most browsers, leaving the user to have to manage their own trusted certificate stores - and unfortunately this puts too much emphasis on the trusted root system, giving users a false sense of security in the system itself. In other words, if the Berkeley domain is using self-signed certificates and are not using a well-known Certificate Authority (CA) that is already recognized by your web browser, the likes of Firefox will always issue these scary warnings because the developers at Firefox have (obviously) put too much emphasis on trusted root CAs. Every other web browser understands that a trusted root CA is not and should not be mandatory to trust a website, and thus they don't give out the warnings you see. While the Berkeley domain admins could easily use a trusted root CA so Firefox users don't receive the warnings, in my professional opinion this is not the best solution just to appease users of a web browser that wants to see encourage this false sense of security to end users. The developers of Firefox need to back off of this emphasis and stop requiring trusted root CAs and stop dictating to domain admins that they need to use a trusted root CA instead of a self-signed CA. |
Dirk Sadowski Send message Joined: 6 Apr 07 Posts: 7105 Credit: 147,663,825 RAC: 5 |
Just for to post the correct URLs .. If I go here to http://setiathome.berkeley.edu and press then 'Account' I go to there: http://setiathome.berkeley.edu/home.php - and my Firefox show the warning. If I go here to http://setiathome.berkeley.edu/sah_donate.php and press then right hand to 'Click here to make an online donation via credit card or VISA check card' I go to there : https://givetocal.berkeley.edu /blabla - and my Firefox show the warning. * Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. * |
TimeLord04 Send message Joined: 9 Mar 06 Posts: 21140 Credit: 33,933,039 RAC: 23 |
Just for to post the correct URLs .. Tell Firefox to "Accept" the Certificate... You have to do this manually, just once, and it will remember the Certificate, and never hassle you again... :-) TimeLord04 Have TARDIS, will travel... Come along K-9! Join Calm Chaos |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Just for to post the correct URLs .. That happens because whenever someone clicks on Home, the browser has to identify who's home to go to. It does this by passing over an https connection to read the cookie installed of the user who is logged into the site. Once it reads the cookie, it passes back to an http connection. Once Firefox encounters the https connection and certificate, it stops the process and displays the warning to you. There is no need for certificates on http; indeed the s in https stands for secure, and is even connecting over a different port: 443 as opposed to standard traffic going over port 80. If I go here to http://setiathome.berkeley.edu/sah_donate.php and press then right hand to 'Click here to make an online donation via credit card or VISA check card' I go to there : https://givetocal.berkeley.edu /blabla - and my Firefox show the warning. This goes right back to Berkeley is using self-signed certificates over https connections and they are not using a trusted root CA. As was suggested, by manually installing the certificate and telling the browser that you trust the site you are visiting, you will not receive the warning anymore. This is the preferred solution instead of requesting the SysAdmin of the site to use a trusted root CA. |
Robert Hoffman Send message Joined: 17 May 99 Posts: 4 Credit: 5,445,192 RAC: 21 |
I opened up givetocal.berkeley.edu in my Chrome v31 browser, then proceeded to look up SETI@home when I finally hit an https page. I clicked on the lock icon in my browser and saw that it was signed and verified. I received no warning. The certificate that is on the server isn't self-signed, it was issued by InCommon. They are not a root CA but follow the chain up through one. At my previous employer (also an .EDU) we used them in place of VeriSign on many sites and had no issues with any browser, including Firefox. I just connected to one of their main secure sites and had no issues (Firefox 25.0.1). I'm not a certificate expert but I suspect that when the certificate request was made, or when the certificate was installed, there was a mistake somewhere which is causing the 'untrusted connection' message. |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
The certificate that is on the server isn't self-signed, it was issued by InCommon. They are not a root CA but follow the chain up through one. At my previous employer (also an .EDU) we used them in place of VeriSign on many sites and had no issues with any browser, including Firefox. I just connected to one of their main secure sites and had no issues (Firefox 25.0.1). Thank you for that. I was previously unaware of InCommon and had incorrectly assumed that it was an in-house thing at Berkeley. I'm not a certificate expert but I suspect that when the certificate request was made, or when the certificate was installed, there was a mistake somewhere which is causing the 'untrusted connection' message. Given what you said above, I would have to agree. But I do find it curious that IE and Chrome are willing to call the connection trusted, but Firefox refuses unless some extra step is completed by the site Admins. I'm not sure that the extra step required by Firefox should be necessary, and I don't believe the developers of Firefox should be throwing up so many unnecessary security warnings which tends to distract from the cases where an actual problem exists. In doing so, Firefox users will be succumbing to the same "click-through" mentality that many Windows-based apps and prompts and EULAs suffer where no one pays heed to - or creating unnecessary paranoia from end users asking questions about such warnings on a site they should know if they trust or not. The only benefit I can think of is if a malicious third party were to hack a webserver and redirect traffic to a conspicuous site, but these types of redirect (or "drive by" attacks) are not typically done through https and site certificates. |
Uli Send message Joined: 6 Feb 00 Posts: 10923 Credit: 5,996,015 RAC: 1 |
My memory might be faulty, but I think Eric addressed this issue a long time back. Front page News I think. Pluto will always be a planet to me. Seti Ambassador Not to late to order an Anni Shirt |
Dirk Sadowski Send message Joined: 6 Apr 07 Posts: 7105 Credit: 147,663,825 RAC: 5 |
It looks like the admins changed something. My Firefox show not longer the warnings (account log in, donation (above mentioned URLs)). :-) * Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. * |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.