berkeley.edu now https ?

Message boards : Cafe SETI : berkeley.edu now https ?
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Sutaru Tsureku
Volunteer tester

Send message
Joined: 6 Apr 07
Posts: 7105
Credit: 147,663,825
RAC: 5
Germany
Message 1442806 - Posted: 15 Nov 2013, 21:05:42 UTC

Before I could log in, my brower Firefox said, he don't trust the setiathome.berkeley.edu site.

I accepted one time the certificate and so I came to a berkeley.edu secure site (https).

After I inserted ID and PIN the s disappeared and I saw my account.

It's the same now like it's at SAH Beta since long time?
Or someone did bad things and hacked something?

* Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. *
ID: 1442806 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1442821 - Posted: 15 Nov 2013, 21:30:39 UTC - in response to Message 1442806.  

It's not Berkeley that is handling the https, rather the setiathome sub-domain.

Also, as far as I can remember, https was always required for logging into the site. Once you log into the site, it uses a cookie to remember your login. So if you switch browsers or clear your cookies, you will have to go back through the https login.

As far as Firefox not trusting the site, that's typical of any self-signed certificate as opposed to one purchased from a third-party certificate authority (CA). Web browser can only verify authenticity if the site uses a third-party CA.
ID: 1442821 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1442925 - Posted: 16 Nov 2013, 2:57:27 UTC - in response to Message 1442806.  

It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours.

It was not due to a hacking, but due to a CSS fix being put in place that, if I understand correctly, required https.

A very astute observation on your behalf.
ID: 1442925 · Report as offensive
Profile arkayn
Volunteer tester
Avatar

Send message
Joined: 14 May 99
Posts: 4438
Credit: 55,006,323
RAC: 0
United States
Message 1442937 - Posted: 16 Nov 2013, 4:07:24 UTC - in response to Message 1442925.  

It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours.

It was not due to a hacking, but due to a CSS fix being put in place that, if I understand correctly, required https.

A very astute observation on your behalf.


Looks like it will only affect me once I have to login again as I am still using the forums without the secure connection.

ID: 1442937 · Report as offensive
Profile Wiggo
Avatar

Send message
Joined: 24 Jan 00
Posts: 23329
Credit: 261,360,520
RAC: 489
Australia
Message 1442942 - Posted: 16 Nov 2013, 4:33:31 UTC - in response to Message 1442937.  


Looks like it will only affect me once I have to login again as I am still using the forums without the secure connection.

The same here (possibly you have to either sign out or clear cookies for this to happen).

Cheers.
ID: 1442942 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1442945 - Posted: 16 Nov 2013, 4:51:15 UTC - in response to Message 1442937.  

It has been pointed out to my that my earlier explanation was not correct. In fact, you were right, there was a recent change in the setiathome.berkeley.edu web server to utilize https as of sometime in the last 24 hours.

It was not due to a hacking, but due to a CSS fix being put in place that, if I understand correctly, required https.

A very astute observation on your behalf.


Looks like it will only affect me once I have to login again as I am still using the forums without the secure connection.


It only affects logging in. The rest of the forums run on regular http.
ID: 1442945 · Report as offensive
Profile Lynn Special Project $75 donor
Volunteer tester
Avatar

Send message
Joined: 20 Nov 00
Posts: 14010
Credit: 79,603,650
RAC: 123
United States
Message 1442958 - Posted: 16 Nov 2013, 7:47:22 UTC - in response to Message 1442945.  

Found this in Questions and Answers : Web site

http://setiathome.berkeley.edu/forum_thread.php?id=73279
Questions and Answers : Web site : warning message: "This Connection is Untrusted"

Hope it helps.
ID: 1442958 · Report as offensive
Profile BigDaddyDave
Avatar

Send message
Joined: 8 Oct 00
Posts: 67
Credit: 20,337,995
RAC: 15
United States
Message 1446199 - Posted: 24 Nov 2013, 6:58:00 UTC - in response to Message 1442925.  

I received the same message as well. Good to see that we are already talking about it. I'll ignore the Firefox notice.

Thank you,

Get Crunchin'!


BDDave
ID: 1446199 · Report as offensive
Profile Sutaru Tsureku
Volunteer tester

Send message
Joined: 6 Apr 07
Posts: 7105
Credit: 147,663,825
RAC: 5
Germany
Message 1446284 - Posted: 24 Nov 2013, 13:44:58 UTC
Last modified: 24 Nov 2013, 13:46:09 UTC

I use an old Firefox, and if I log in into my account at setiathome.berkeley.edu, I get the warning.

Also as I made at Nov/21 my yearly donation at givetocal.berkeley.edu, I got the same warning.

I sent a message to the admins about this.

But, it's because of my very old version of Firefox?

AFAIK, the newest Firefox is v25.
With this version you get also this warning?

And the Internet Explorer user (which version?), they see also a warning?

* Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. *
ID: 1446284 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1446383 - Posted: 24 Nov 2013, 20:08:16 UTC - in response to Message 1446284.  
Last modified: 24 Nov 2013, 20:21:20 UTC

I opened up givetocal.berkeley.edu in my Chrome v31 browser, then proceeded to look up SETI@home when I finally hit an https page. I clicked on the lock icon in my browser and saw that it was signed and verified. I received no warning.

I did the same in Internet Explorer 11 and also received no warnings.

I then opened up givetocal.berkeley.edu and performed the same steps in Firefox v25.0.1, and by the time I hit the https pages, I ddi receive a "scary" warning that "This Connection is Untrusted". I then clicked on "technical details" and it said that the "certificate was not trusted because no issuer chain was provided." Performing a Google search on that last phrase brought up many hits with website owners complaining about Firefox being the only one that has this problem.

According to http://www.sslshopper.com/ssl-checker.html#hostname=https://givetocal.berkeley.edu, the owner of the sub-domain "givetocal.berkeley.edu" needs to install an intermediate/chain certificate to link it to a trusted root certificate. An intermedidate/chain certificate would be missing if the domain owner is using self-signed certificates and they are not using a well-known Certificate Authority.

The problem with using a trusted root certificate, such as the ones provided by VeriSign, is that they can cost upwards of $500+ per year, and using trusted root certificates actually has known flaws in the chain (such as "man in the middle" attacks). Not to mention that only the most popular trusted root Certificate Authorities are included in most browsers, leaving the user to have to manage their own trusted certificate stores - and unfortunately this puts too much emphasis on the trusted root system, giving users a false sense of security in the system itself.

In other words, if the Berkeley domain is using self-signed certificates and are not using a well-known Certificate Authority (CA) that is already recognized by your web browser, the likes of Firefox will always issue these scary warnings because the developers at Firefox have (obviously) put too much emphasis on trusted root CAs. Every other web browser understands that a trusted root CA is not and should not be mandatory to trust a website, and thus they don't give out the warnings you see.

While the Berkeley domain admins could easily use a trusted root CA so Firefox users don't receive the warnings, in my professional opinion this is not the best solution just to appease users of a web browser that wants to see encourage this false sense of security to end users. The developers of Firefox need to back off of this emphasis and stop requiring trusted root CAs and stop dictating to domain admins that they need to use a trusted root CA instead of a self-signed CA.
ID: 1446383 · Report as offensive
Profile Sutaru Tsureku
Volunteer tester

Send message
Joined: 6 Apr 07
Posts: 7105
Credit: 147,663,825
RAC: 5
Germany
Message 1446574 - Posted: 25 Nov 2013, 14:27:28 UTC

Just for to post the correct URLs ..

If I go here to http://setiathome.berkeley.edu and press then 'Account' I go to there: http://setiathome.berkeley.edu/home.php - and my Firefox show the warning.

If I go here to http://setiathome.berkeley.edu/sah_donate.php and press then right hand to 'Click here to make an online donation via credit card or VISA check card' I go to there : https://givetocal.berkeley.edu /blabla - and my Firefox show the warning.

* Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. *
ID: 1446574 · Report as offensive
Profile TimeLord04
Volunteer tester
Avatar

Send message
Joined: 9 Mar 06
Posts: 20880
Credit: 33,933,039
RAC: 23
United States
Message 1446581 - Posted: 25 Nov 2013, 14:38:11 UTC - in response to Message 1446574.  

Just for to post the correct URLs ..

If I go here to http://setiathome.berkeley.edu and press then 'Account' I go to there: http://setiathome.berkeley.edu/home.php - and my Firefox show the warning.

If I go here to http://setiathome.berkeley.edu/sah_donate.php and press then right hand to 'Click here to make an online donation via credit card or VISA check card' I go to there : https://givetocal.berkeley.edu /blabla - and my Firefox show the warning.

* Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. *


Tell Firefox to "Accept" the Certificate... You have to do this manually, just once, and it will remember the Certificate, and never hassle you again... :-)


TimeLord04
Have TARDIS, will travel...
Come along K-9!
Join Calm Chaos
ID: 1446581 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1446651 - Posted: 25 Nov 2013, 17:26:40 UTC - in response to Message 1446574.  

Just for to post the correct URLs ..

If I go here to http://setiathome.berkeley.edu and press then 'Account' I go to there: http://setiathome.berkeley.edu/home.php - and my Firefox show the warning.


That happens because whenever someone clicks on Home, the browser has to identify who's home to go to. It does this by passing over an https connection to read the cookie installed of the user who is logged into the site. Once it reads the cookie, it passes back to an http connection. Once Firefox encounters the https connection and certificate, it stops the process and displays the warning to you.

There is no need for certificates on http; indeed the s in https stands for secure, and is even connecting over a different port: 443 as opposed to standard traffic going over port 80.

If I go here to http://setiathome.berkeley.edu/sah_donate.php and press then right hand to 'Click here to make an online donation via credit card or VISA check card' I go to there : https://givetocal.berkeley.edu /blabla - and my Firefox show the warning.


This goes right back to Berkeley is using self-signed certificates over https connections and they are not using a trusted root CA. As was suggested, by manually installing the certificate and telling the browser that you trust the site you are visiting, you will not receive the warning anymore. This is the preferred solution instead of requesting the SysAdmin of the site to use a trusted root CA.
ID: 1446651 · Report as offensive
Robert Hoffman

Send message
Joined: 17 May 99
Posts: 4
Credit: 5,445,192
RAC: 21
United States
Message 1447024 - Posted: 26 Nov 2013, 16:33:31 UTC - in response to Message 1446383.  

I opened up givetocal.berkeley.edu in my Chrome v31 browser, then proceeded to look up SETI@home when I finally hit an https page. I clicked on the lock icon in my browser and saw that it was signed and verified. I received no warning.

I did the same in Internet Explorer 11 and also received no warnings.

I then opened up givetocal.berkeley.edu and performed the same steps in Firefox v25.0.1, and by the time I hit the https pages, I ddi receive a "scary" warning that "This Connection is Untrusted". I then clicked on "technical details" and it said that the "certificate was not trusted because no issuer chain was provided." Performing a Google search on that last phrase brought up many hits with website owners complaining about Firefox being the only one that has this problem.

According to http://www.sslshopper.com/ssl-checker.html#hostname=https://givetocal.berkeley.edu, the owner of the sub-domain "givetocal.berkeley.edu" needs to install an intermediate/chain certificate to link it to a trusted root certificate. An intermedidate/chain certificate would be missing if the domain owner is using self-signed certificates and they are not using a well-known Certificate Authority.

The problem with using a trusted root certificate, such as the ones provided by VeriSign, is that they can cost upwards of $500+ per year, and using trusted root certificates actually has known flaws in the chain (such as "man in the middle" attacks). Not to mention that only the most popular trusted root Certificate Authorities are included in most browsers, leaving the user to have to manage their own trusted certificate stores - and unfortunately this puts too much emphasis on the trusted root system, giving users a false sense of security in the system itself.

In other words, if the Berkeley domain is using self-signed certificates and are not using a well-known Certificate Authority (CA) that is already recognized by your web browser, the likes of Firefox will always issue these scary warnings because the developers at Firefox have (obviously) put too much emphasis on trusted root CAs. Every other web browser understands that a trusted root CA is not and should not be mandatory to trust a website, and thus they don't give out the warnings you see.

While the Berkeley domain admins could easily use a trusted root CA so Firefox users don't receive the warnings, in my professional opinion this is not the best solution just to appease users of a web browser that wants to see encourage this false sense of security to end users. The developers of Firefox need to back off of this emphasis and stop requiring trusted root CAs and stop dictating to domain admins that they need to use a trusted root CA instead of a self-signed CA.


The certificate that is on the server isn't self-signed, it was issued by InCommon. They are not a root CA but follow the chain up through one. At my previous employer (also an .EDU) we used them in place of VeriSign on many sites and had no issues with any browser, including Firefox. I just connected to one of their main secure sites and had no issues (Firefox 25.0.1).

I'm not a certificate expert but I suspect that when the certificate request was made, or when the certificate was installed, there was a mistake somewhere which is causing the 'untrusted connection' message.

ID: 1447024 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15688
Credit: 84,761,841
RAC: 28
United States
Message 1447090 - Posted: 26 Nov 2013, 18:40:11 UTC - in response to Message 1447024.  

The certificate that is on the server isn't self-signed, it was issued by InCommon. They are not a root CA but follow the chain up through one. At my previous employer (also an .EDU) we used them in place of VeriSign on many sites and had no issues with any browser, including Firefox. I just connected to one of their main secure sites and had no issues (Firefox 25.0.1).


Thank you for that. I was previously unaware of InCommon and had incorrectly assumed that it was an in-house thing at Berkeley.

I'm not a certificate expert but I suspect that when the certificate request was made, or when the certificate was installed, there was a mistake somewhere which is causing the 'untrusted connection' message.


Given what you said above, I would have to agree. But I do find it curious that IE and Chrome are willing to call the connection trusted, but Firefox refuses unless some extra step is completed by the site Admins. I'm not sure that the extra step required by Firefox should be necessary, and I don't believe the developers of Firefox should be throwing up so many unnecessary security warnings which tends to distract from the cases where an actual problem exists. In doing so, Firefox users will be succumbing to the same "click-through" mentality that many Windows-based apps and prompts and EULAs suffer where no one pays heed to - or creating unnecessary paranoia from end users asking questions about such warnings on a site they should know if they trust or not.

The only benefit I can think of is if a malicious third party were to hack a webserver and redirect traffic to a conspicuous site, but these types of redirect (or "drive by" attacks) are not typically done through https and site certificates.
ID: 1447090 · Report as offensive
Profile Uli
Volunteer tester
Avatar

Send message
Joined: 6 Feb 00
Posts: 10922
Credit: 5,996,015
RAC: 1
Germany
Message 1447274 - Posted: 27 Nov 2013, 5:28:51 UTC

My memory might be faulty, but I think Eric addressed this issue a long time back. Front page News I think.
Pluto will always be a planet to me.

Seti Ambassador
Not to late to order an Anni Shirt
ID: 1447274 · Report as offensive
Profile Sutaru Tsureku
Volunteer tester

Send message
Joined: 6 Apr 07
Posts: 7105
Credit: 147,663,825
RAC: 5
Germany
Message 1448667 - Posted: 30 Nov 2013, 18:50:13 UTC

It looks like the admins changed something.

My Firefox show not longer the warnings (account log in, donation (above mentioned URLs)).

:-)

* Best regards! :-) * Philip J. Fry, team seti.international founder. * Optimize your PC for higher RAC. * SETI@home needs your help. *
ID: 1448667 · Report as offensive

Message boards : Cafe SETI : berkeley.edu now https ?


 
©2021 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.