The Mental Militia Forums

General Interest => BULLETIN BOARD => Topic started by: debra on March 22, 2006, 11:25:32 am

Title: TCF SSL Access
Post by: debra on March 22, 2006, 11:25:32 am
TCF can be accessed through a secured link:

https://erte.hmdnsgroup.com/~tcftalk/clairefiles/

NOTE: As of 4/3/07, please use this URL instead for secure access:

https://thementalmilitia.com/forums/

Bill St. Clair's post on page three explains the reason for the change and describes minor changes in access procedures.

-- EDIT by Claire 4/4/07

Instructions for avoiding annoying dialogs in Windows Internet Explorer are here (https://thementalmilitia.com/forums/index.php?topic=9043.msg349108#msg349108).

--EDIT by wws 1/10/2011
Title: Re: TCF SSL Access
Post by: Roy J. Tellason on March 22, 2006, 11:51:31 pm
So what does that get ya?
Title: Re: TCF SSL Access
Post by: enemyofthestate on March 23, 2006, 05:07:10 am
So what does that get ya?

In my case a 256 bit AES connection. :-)
Title: Re: TCF SSL Access
Post by: Scarmiglione' on March 23, 2006, 06:55:32 am
So what does that get ya?


In simple terms, reading TCF through that link is as secure as buying something online with a credit card.
Title: Re: TCF SSL Access
Post by: debra on March 23, 2006, 09:07:09 am
My understanding is that with SSL the data (including username/password entries, PMs, etc) can't be "sniffed". Obviously any posts can be read by someone who browses here, but submitted data is encrypted during transmission. Does that make sense? I hope so.

And um, Bill, if I'm wrong, correct me!
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 23, 2006, 09:22:49 am
That's basically right, Debra. I'm sure the NSA can break an SSL encoded stream if they devote their computer resources to it. But it will take them a while, so the idea is to increase the amount of encrypted traffic out there so there's lots of encrypted talk about recipes and Twinkies, etc. for them to waste their time on. Note that PM's though not easily available to all and sundry, are stored in the database on our web server unencrypted. And on the backup server. I could look at them any time I want, but I won't. If the feds were to subpoena our web host, they could get the database and see everything everybody has written. I recommend using PGP to encrypt your PMs. That way, nobody but the intended recipients can read them, without stealing your private key and keyboard logging your passphrase, or spending a massive amount of computer time cracking your message.
Title: Re: TCF SSL Access
Post by: OLD TIRED RN on March 28, 2006, 03:46:07 pm
Bill, is it worth while for someone like me who has already said enough here and elsewhere to get myself onto their "naughty list" and keep me there by what I've already said that is already not encrypted, to take the time to do this posting by the encrypted method?  I'm very very computer illiterate, able to do e-mail and post here/things like this/ but I'm not even moderately skilled in things like encryption. 

Sure wish I knew how to do computers good instead of work on people.  Oh well.

                    Thanks,  RN
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 28, 2006, 05:21:26 pm
RN,

Only you can decide what's worth your effort.

I usually don't encrypt stuff, even though I have all the tools installed on my machine and know how to use them. Naughty boy am I.

The commercial PGP product, on Windows or Macintosh, is easier to use, IMHO, than GnuPG. It allows you to encrypt to and decrypt from the clipboard, not just files, and it provides encrypted virtual disks. The user interface is also much slicker, as is the email integration. If you can spare the $99, I recommend it. But for the price, free, GnuPG is a great value, and the GUI interfaces make it quite usable. There's even an EMACS interface, for Linux, that makes it almost as easy to use as commercial PGP.

Even if you're already on the "naughty list", your message's recipient might not be.
Title: Re: TCF SSL Access
Post by: enemyofthestate on March 31, 2006, 12:11:35 am
Bill, is it worth while for someone like me who has already said enough here and elsewhere to get myself onto their "naughty list" and keep me there by what I've already said that is already not encrypted, to take the time to do this posting by the encrypted method?

IMO, yes and in this particular case it costs you nothing except to change your bookmark. 

It doesn't matter if you are already on a 'list' somewhere. In fact, it may be a good thing for you to send megabytes of encrypted information.  Make the bastards waste thousands of hours of computer time to crack your recipe lists.  Every bit of encrypted traffic on the net is a bigger haystack we can hide our needles in.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 31, 2006, 05:08:53 am
enemyofthestate,

I think RN was asking about taking the trouble to PGP encrypt personal messages. I agree with you that everybody should switch bookmarks to the encrypted web link that Debra posted to begin this thread. Further encrypting personal messages is a more personal decision.
Title: Re: TCF SSL Access
Post by: Junker on March 31, 2006, 04:55:11 pm
Bill, I use SuSE 9.2 KDE w/ KGPG 1.0 installed. KGPG shows up as a lock icon in the utilities/widgets box next to the clock on lower right control bar. I left click the lock icon and get a pop-up menu which includes en-/de-crypt clipboard. I don't know if it only runs in KDE, but AYK, usually once one group has it, they all soon get it.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 31, 2006, 06:18:57 pm
Bill, I use SuSE 9.2 KDE w/ KGPG 1.0 installed. KGPG shows up as a lock icon in the utilities/widgets box next to the clock on lower right control bar. I left click the lock icon and get a pop-up menu which includes en-/de-crypt clipboard. I don't know if it only runs in KDE, but AYK, usually once one group has it, they all soon get it.

Glad to hear it. My Linux setup is currently running JWM, Jim's Window Manager. I can likely use some KDE widgets, but I haven't played with them much. I find the Emacs package I mentioned above to be sufficient.
Title: Re: TCF SSL Access
Post by: Bland on March 31, 2006, 08:59:14 pm
Bill, is it worth while for someone like me who has already said enough here and elsewhere to get myself onto their "naughty list" and keep me there by what I've already said that is already not encrypted, to take the time to do this posting by the encrypted method?

IMO, yes and in this particular case it costs you nothing except to change your bookmark. 

It doesn't matter if you are already on a 'list' somewhere. In fact, it may be a good thing for you to send megabytes of encrypted information.  Make the bastards waste thousands of hours of computer time to crack your recipe lists.  Every bit of encrypted traffic on the net is a bigger haystack we can hide our needles in.

Yeah, when I first suggested this idea for a secure link, I explained that what this does is increase the *cost* for the JBT's or anyone else if they want to screw with you, your account here, or your privacy.  And OLD TIRED RN, it is worth it for you to 1) Only use the secure link and 2) change your password so that "They" have a much harder time of stealing your password here and doing things like posting under your name, keeping tabs on which IP's you post from here, or distinguishing your traffic from other posters here.
Title: Re: TCF SSL Access
Post by: PintofStout on May 17, 2006, 11:06:06 am
What's the whole "secure and non-secure items" box that pops up every time I load a page?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on May 17, 2006, 11:27:28 am
Likely an avatar that is stored off-site. Do you get it on every page, or just some pages? If the latter, please give some links, so that I can encourage those people to upload their avatars to the site.

Actually, I see one on this page, though Firefox isn't complaining. enemyofthestate's avatar is stored off-site.

Which web browser do you use, PintofStout?
Title: Re: TCF SSL Access
Post by: PintofStout on May 17, 2006, 11:32:19 am
I use IE.

It asks if I want to display both secure and non-secure items and I usually just say yes.  Not too big a deal (I don't think), just an extra click.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on May 17, 2006, 12:22:12 pm
I tried it with IE, and told it "No". This revealed enemyofthestate's avatar, which I already mentioned, and PintofStout's Yahoo messenger icon. Apparently the <img...> tag generated by SMF for that returns a Yahoo-resident image.

I could find no way to disable this IE feature, not in "Internet Options..." and not with a Google search (though lots of people have complained abou it). I suppose I could change the code that displays the Yahoo icon to use a static icon that doesn't reveal whether you're logged in to Yahoo...
Title: Re: TCF SSL Access
Post by: PintofStout on May 17, 2006, 12:35:40 pm
I could just take it off.  I haven't logged on to Yahoo for months.
Title: Re: TCF SSL Access
Post by: Docliberty on June 27, 2006, 03:02:43 pm
Hey Bill

I'm getting the same thing that Pint was.  Is there anything that I can do about it?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on June 27, 2006, 03:06:59 pm
Hey Bill

I'm getting the same thing that Pint was.  Is there anything that I can do about it?

Switch to Firefox or convince whoever has configured their profile to showt their Yahoo IM to remove it.

Switching from IE to Firefox is a good idea all by itself. More secure. Faster. Tabbed browsing rocks. My opinion, of course.
Title: Re: TCF SSL Access
Post by: Docliberty on June 27, 2006, 04:41:52 pm
Hey Bill

I'm getting the same thing that Pint was.  Is there anything that I can do about it?

Switch to Firefox or convince whoever has configured their profile to showt their Yahoo IM to remove it.

Switching from IE to Firefox is a good idea all by itself. More secure. Faster. Tabbed browsing rocks. My opinion, of course.

Thanks Bill.

What's Foxfire and where do I get it?  And just in case I don't like it, is there an antidote?
Title: Re: TCF SSL Access
Post by: Tin-Man on June 27, 2006, 07:22:33 pm
What's Foxfire and where do I get it?  And just in case I don't like it, is there an antidote?

Firefox (http://www.mozilla.com/firefox/) is a very, very good browser.  I highly recommend it, if my opinion means anything.

Antidote?  Just uninstall (it's much easier to work with and more cooperative about that sort of thing than IE) but I don't think you'll find it necessary.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on June 28, 2006, 04:56:52 am
Tin-man linked to where to find Firefox. Works on Windows, Macintosh, and Linux. Auto-updates, if you let it. Some people like Opera (http://opera.com/) better. I prefer Firefox, by a nose, though I haven't tried the new Opera 9 release.
Title: Re: TCF SSL Access
Post by: OLD TIRED RN on October 23, 2006, 01:13:15 pm
I confess to the sin of envy of all you guys who know/understand so much about computers and computing. I sure hate being the only dumb one.  Every time I run across a conversation like this one I feel like I should be put in the corner with one of those pointed hats on.  Sigh.....

I work on people, not these nasty little machines which were invented by somebody with a REAL EVIL MIND.   If you have a heart attack, diabetic induced seizure, fall off a ladder, etc. I know what I'm going to do for you.  Oh well....   Sure wish Bill St. Clair were my next door neighbor so I could get lessons from him for one of my wife's fine dinners. Maybe even fire up the ol grill.  Offer stands, Bill, or anyone of you who are so blessed should you find yourselves down here in this part of the country (west part of Tennessee). 

                                          RN
Title: Re: TCF SSL Access
Post by: Jguy101 on January 22, 2007, 02:49:31 pm
Just thought I'd let everyone know: The SSL isn't working for me today. O_o
Title: Re: TCF SSL Access
Post by: Erin on January 22, 2007, 03:03:41 pm
*
Title: Re: TCF SSL Access
Post by: RagnarDanneskjold on January 22, 2007, 03:08:29 pm
I get this popup:
Quote
The connection to erte.hmdnsgroup.com has terminated unexpectedly. Some data may have been transferred.
Title: Re: TCF SSL Access
Post by: Claire on January 22, 2007, 03:17:54 pm
I get this popup:
Quote
The connection to erte.hmdnsgroup.com has terminated unexpectedly. Some data may have been transferred.

Same here. I expect it'll clear up soon. Meanwhile, nice to have two entry points to TCF. If the problem hasn't taken care of itself by tomorrow, one of the admins can probably look into it.
Title: Re: TCF SSL Access
Post by: Pagan on January 22, 2007, 07:02:29 pm
Yeah, I finally got through after being off all day -- but only with Dare's help. Thanks, Dare!
Title: Re: TCF SSL Access
Post by: Dare2BFree on January 22, 2007, 07:06:00 pm
Very welcome   :thumbsup:  Glad that was all it was keeping you from signing in *and not some issue with your ISP*
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 22, 2007, 07:55:34 pm
SSL access has been down for me all day. I submitted a support ticket to Hosting Matters, our web service provider. Tell you more when there's more to tell.
Title: Re: TCF SSL Access
Post by: Shevek on January 22, 2007, 08:12:30 pm
Quote
Firefox . . . Works on Windows, Macintosh, and Linux. Auto-updates, if you let it.
Caution: Firefox runs very slow on older hardware because of the convoluted XUL interface. If you are not a browser power user, then consider Opera or K-Meleon. I use the latter a lot and is very snappy and fast.

Quote
I sure hate being the only dumb one.
You're not dumb, just ignorant about computers. I'm quite ignorant about nursing and the medical industry!

Quote
SSL access has been down for me all day. I submitted a support ticket to Hosting Matters, our web service provider. Tell you more when there's more to tell.
You're blog is down too. Same host provider?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 22, 2007, 09:09:22 pm
The SSL log file had reached the file size limit. They removed it and restarted the SSL server. SSL access is back up.

My blog is hosted by nearlyfreespeech.net. Works for me now. tcftalk.com is hosted my hostingmatters.com.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 22, 2007, 11:15:01 pm
Well, my blog WAS broken. Deleted a spam user account twice again, which caused the guest account to be removed, which only allowed registered users to see anything. Fortunately, the last time this happened I created a page with instructions for fixing it. So it's fixed now.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on April 04, 2007, 09:37:13 am
Prompted by a complaint from Hosting Matters about our scripts or .htaccess files generating illegal URLs, I finally figured out how to get a free SSL certificate for tcftalk.com. You no longer need to use https://erte.hmdnsgroup.com/~tcftalk/ for encrypted access to the boards. You can now use https://thementalmilitia.com/forums/ . Since the new certificate is for the proper domain, you can also tell your browser to accept the Certificate Authority (CA) permanently, and stop having to verify the first access each time you relaunch your browser. Firefox gives an option on its warning dialog for this. Don't know about other browsers.

Note that you'll have to enter your user ID and password the first time you login with https://thementalmilitia.com/forums/ , but if you have cookies enabled in your browser (the default for most browsers), it will remember them after that.

I have to change an .htaccess file to make the wiki properly respond to https://tcftalk.com/wiki/ , but I expect to do that tonite.

If you use encrypted (https) access to the forum, please change your bookmarks to:

https://thementalmilitia.com/forums/

Yay!
Title: Re: TCF SSL Access
Post by: Claire on April 04, 2007, 10:30:53 am
Yay! indeed -- and thank you, Bill. It was quite a surprise to get an email from "Abuse Investigations" at our hosting service. Poor innocent us; we had no idea there was any problem. Neither Debra nor I even understood what the Hosting Matters support folks were talking about. So thank heaven for Bill, his tech skills, and his efficiency.

Off to change my bookmarks right now.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on April 04, 2007, 07:32:59 pm
OK. http://tcftalk.com/wiki/ works now, for me, and the old erte.hmdnsgroup.com address does NOT work. So if the new IP address hasn't propagated to your DNS server, you'll have to add the DNS to your /etc/hosts file to get to the wiki. I changed the New Box accordingly.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on April 05, 2007, 08:38:04 am
I just fixed the original problem that Hosting Matters complained about by redirecting http(s)://erte.hmdnsgroup.com/~tcftalk/* to https://tcftalk.com/* .

That will break the board completely for anybody who doesn't have the correct IP address. Hopefully, the DNS change has propagated by now.

There IS a work-around. You can use the IP address directly:

  http://63.247.128.94/clairefiles/
  https://63.247.128.94/clairefiles/

The encrypted version will cause your browser to complain that the domain in the SSL certificate is not 63.247.128.94, but it will work.

Adding a line to /etc/hosts will also work:

  63.247.128.94  tcftalk.com www.tcftalk.com
Title: Re: TCF SSL Access
Post by: barkingowl on April 10, 2007, 08:35:55 pm
Thanks Bill! I can see the little lock icon displayed in the upper right corner of my Safari window.  :mellow:
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 17, 2007, 08:18:21 am
I got a notice today from cacert.org that our SSL certificate would expire in 45 days, so I renewed it today, while I'm thinking of it. I expect Hosting Matters to install it soon. When they do, you may get a warning that the certificate is unrecognized, and you'll have to tell your browser to accept it, permanently if you don't want to see the warning again, or temporarily if you do.
Title: Re: TCF SSL Access
Post by: username on August 17, 2007, 10:22:48 am
If you really want to have an effectively secure forum there are several things that need to be done beyond SSL. Of course like in anything, there is risk of users being undercover agents gather information essentially compromising the most secure enviroments.

Honestly, the only real solution is to keep your groups small and your members well known. :)

Userame
Title: Re: TCF SSL Access
Post by: Bill St. Clair on June 21, 2008, 04:46:56 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Somebody asked me to post the fingerprints of our SSL certificate. I sent
email, but it appears to have not arrived.

The certificate's fingerprints are:

  SHA1: C3:B7:FD:6B:9C:9B:2C:13:DF:07:8E:61:55:E2:19:51:D4:35:37:98
  MD5:  8B:FD:FB:19:B8:06:04:8C:13:7B:D3:F4:1F:34:FC:77

Because I'm using a cacert.org free certificate, I have to update it every
six months. From now on I'll post the fingerprints, signed with my PGP key,
when I update.

There is some concern with the Debian key generation problem. I don't think
our certificate has that.

The TMM certificate was generated by cacert.org. http://blog.cacert.org/
says:

"Luckly, the CAcert Root Class 1 and 3 keys are not affected as these were
generated before the vulnerability was introduced into Debian[3] in
September 2006. The process that signs CSR (certificate signing requests)
and therefore all signed public keys does not use any key generation, so
they are not affected by CAcert. Conclusion: CAcert does NOT have to
reissue every signed certificate."

cacert uses Debian internally, so there is a tiny chance that somebody
snuck into their system using a forged SSH key, and stole their root
certificate private key. They didn't think that was enough of a threat to
regenerate their root certificate, though.

The TMM certificate's private key was generated by site5.com's automated
system. I can't find anywhere whether they use Debian for that. It appears
from /proc/version in the SSH environment on our hosting machine, that it
is Red Hat 3.4.6-9. That doesn't imply that their SSL certificate signing
request generator is also running Red Hat, but I'd call it likely.

Bill

-----BEGIN PGP SIGNATURE-----
Version: 9.7.2.1608

wlcDBQFIXXYzesiiYincerIRCKPHAQD8DYffJc1tEQ8kevCjw4Q6VJUcFzowgmDl
2oTYVEzA1wEAk/cb5HkCATVTLzf7iGRIai/MOKt7yznpNHDYDVQTZ8E=
=hFUk
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: gridboy on July 01, 2008, 09:35:51 am

Hi,

 I'm getting a warning from my browser that these pages are partially unencrypted.
Is that the intent?

Thanks,
gridboy
Title: Re: TCF SSL Access
Post by: Bill St. Clair on July 01, 2008, 10:27:36 am

Hi,

 I'm getting a warning from my browser that these pages are partially unencrypted.
Is that the intent?

Thanks,
gridboy

There are two places that warning can come from:

1) The Google Adsense banner at the top of the page

2) User avatars stored on external web sites.

Those are expected. They could possibly be used to associate your IP address with that page you're browsing here.
Title: Re: TCF SSL Access
Post by: Apple on July 01, 2008, 01:22:55 pm
Thanks for the heads-up Bill. I did indeed not receive any e-mail from you; how odd. ??? Thanks also for keeping us up to date regarding the certificate from now on. And I didn't even have to ask! :notworthy:

Finally, I never saw this thread until it was posted to again today. My bad, it must have slipped through the cracks.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on July 01, 2008, 01:52:49 pm
Thanks for the heads-up Bill. I did indeed not receive any e-mail from you; how odd. ??? Thanks also for keeping us up to date regarding the certificate from now on. And I didn't even have to ask!

I tried to send email twice to your remailer, and both times it bounced. Maybe your remailer doesn't like gmail.

Anyway, posting it here makes more sense anyway. That way I can post the updated hashes a few days before I do the install, so people have time to prepare.
Title: Re: TCF SSL Access
Post by: da gooch on September 21, 2008, 11:36:51 am

Hey Bill,

I have just gotten a certificate expired notice dated 9-21-08.

Using Win XP Home is there a setting I need to change for my machine to automatically accept the TMM/TCF certificate ?

[humor sort of ....]
Is it finally time to bail out and start shooting ?
[/sick attempt at humor]

Thanks man.

PS
How's "Fall" coming along up there in "them thar hills" ?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 21, 2008, 02:40:36 pm
I don't remember how to tell XP to accept a certificate, but you won't need to do it for long. I submitted a new certificate to our web hosting service. It should go live soon.
Title: Re: TCF SSL Access
Post by: da gooch on September 21, 2008, 02:44:33 pm

Cool !
:thumbsup:
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 21, 2008, 02:49:14 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here is information for the new SSL certificate, which should go live soon.

Serial Number: 379313 (0x5c9b1)
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
Authority/emailAddress=support@cacert.org

Validity
  Not Before: Sep 21 19:12:44 2008 GMT
  Not After : Mar 20 19:12:44 2009 GMT

Fingerprint
  MD5:  A2:A4:49:FA:B0:22:62:77:CC:0B:22:E1:F4:72:76:76
  SHA1: 14:75:55:D4:29:4E:54:54:C8:38:9D:19:6E:00:D5:FF:F3:F4:91:46

-----BEGIN PGP SIGNATURE-----
Version: 9.7.2.1608

wlcDBQFI1qUkesiiYincerIRCF73AP4u0M4cBWKK+OmyZ74uFYl168zzZ1ZUcsOI
IarKXk3ACQD/ZA8BirsE7ST1uJHBedfz361aUjZZieiU/J9YpOnJLBA=
=3S3/
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Lightning on September 21, 2008, 03:19:56 pm
Thank you, Bill.   :wub:
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 22, 2008, 07:09:59 am
OK. The new certificate is installed. Look to my last post in this thread for info, those of you who check that.
Title: Re: TCF SSL Access
Post by: MamaLiberty on September 22, 2008, 07:29:55 am
I got the invalid cert notice again this morning. I've clicked on "make an exception" each time, but of course it goes nuts and really tries to talk me out of it. LOL  I'm just firm with it and eventually get my way. <G>
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 22, 2008, 10:23:24 am
If you import the CACert root certificate, you shouldn't see a warning the next time I update, next March.

http://www.cacert.org/index.php?id=3

Click the "Root Certificate (PEM Format)" link on that page for Firefox and most other web browsers. Click the "Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x" link for MS Explorer.
Title: Re: TCF SSL Access
Post by: MamaLiberty on September 22, 2008, 11:37:18 am
If you import the CACert root certificate, you shouldn't see a warning the next time I update, next March.

http://www.cacert.org/index.php?id=3

Click the "Root Certificate (PEM Format)" link on that page for Firefox and most other web browsers. Click the "Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x" link for MS Explorer.

" on that page" -- what page?

I have no idea how to do that, or why it would be necessary. I've never had this "cert" message for any other site I've visited.
Title: Re: TCF SSL Access
Post by: ZooT_aLLures on September 22, 2008, 12:14:17 pm
Quote
I've never had this "cert" message for any other site I've visited.

That's because almost everone pays the money rather than having their guests/customers see the "Warning, Warning Will Robinson" messages.........

It's softcore extortion..........pay the money or we'll scare your customers/guests away

Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 22, 2008, 12:26:10 pm
If you import the CACert root certificate, you shouldn't see a warning the next time I update, next March.

http://www.cacert.org/index.php?id=3

Click the "Root Certificate (PEM Format)" link on that page for Firefox and most other web browsers. Click the "Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x" link for MS Explorer.

" on that page" -- what page?

http://www.cacert.org/index.php?id=3

Quote
I have no idea how to do that, or why it would be necessary. I've never had this "cert" message for any other site I've visited.

Firefox 2 wasn't nearly as in your face about it as Firefox 3. Maybe you were using Firefox 2 six months ago when I last updated the SSL certificate.
Title: Re: TCF SSL Access
Post by: MamaLiberty on September 22, 2008, 12:50:03 pm
Firefox 2 wasn't nearly as in your face about it as Firefox 3. Maybe you were using Firefox 2 six months ago when I last updated the SSL certificate.

I wouldn't know. Firefox updates itself from time to time, and I recall it just did a big download that required a restart a few days ago - which always annoys me because it wants to do so in the middle of my work day. GRRR  It HAS to be a restart, seems like. Just shutting down and booting up the next day doesn't satisfy it.

I went to that page and clicked... it said I already had that certificate. <G> Don't ask me... I didn't do anything. LOL
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 22, 2008, 04:05:06 pm
I went to that page and clicked... it said I already had that certificate. <G> Don't ask me... I didn't do anything. LOL

That's what it did for me, too. You should be all set. We'll find out six months from now, when you'll either not notice anything changing, or have to go through the same rigmarole you did this time.
Title: Re: TCF SSL Access
Post by: Apple on September 22, 2008, 04:20:46 pm
Thanks for the heads-up Bill! New cert verified and accepted.
Title: Re: TCF SSL Access
Post by: da gooch on September 24, 2008, 09:40:34 am
Weird stuff going on over here.

I access the net and select the https version bookmark of TMM to receive a "Connection Problems" warning page - twice.
So .....  I hit scroogle and approach from the http side and not on a bookmark .... it opens fine until I attempt to open the https version then "Connection Problems" is back.

Clear history, clear cache, start over.
I even close the FireFox browser to clear all of the stored input.
I restart FireFox and this time I use the http version bookmark and Voy-Lah here we is .....
I did attempt to use the https version and got the same "Connection Problems".

Suggestions ?

I am OK with using the http version but have always "felt" that the other was a trifle safer ?  No ?

[Side note I DID receive and Accept Permanently the new cert Yesterday.]

Thoughts ?   Suggestions ?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 24, 2008, 01:01:09 pm
You should be using https://thementalmilitia.com/ , not https://www.thementalmilitia.com/ . The latter will work, but requires you to permanently allow the exception of the domain not matching the certificate.

What exactly does it say on the "Connection Problems" dialog?
Title: Re: TCF SSL Access
Post by: da gooch on September 25, 2008, 08:35:27 pm
You should be using https://thementalmilitia.com/ , not https://www.thementalmilitia.com/ . The latter will work, but requires you to permanently allow the exception of the domain not matching the certificate.

What exactly does it say on the "Connection Problems" dialog?


I didn't save a copy so ... I don't 'member Exactly.

It went Something like:
Connection Problems

We're sorry the web page you have requested is having connection problems please try again later ....
or some such.

IF it happens again I will do a screen shot for you and IF I remember I'll try to capture the 'page source' info as well.

It hasn't happened since ....

  BTW I do use https://thementalmilitia.com/ as my link to TMM.

Sorry I didn't think to save the text  etc ....
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 26, 2008, 06:17:17 am
That sounds more like a busy database, something that happens from time to time. Also, there was a short time yesterday when the httpd process went down on our web server machine. That's the process that serves the web. Maybe the same happened for a while on Wednesday. These little hiccups happen on every shared hosting site I've used. Paying more for a dedicated host tends to make them better, but you still get power outages and network problems. Nothing to be done except do your best to report outages to somebody who can fix 'em, and wait.
Title: Re: TCF SSL Access
Post by: Get Ready on January 25, 2009, 05:42:21 am
This is the message I am getting.

Secure Connection Failed

     

     
     
     

     
       
       

         

thementalmilitia.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

       


       
       


    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.




       
       

          Or you can add an exception…
         

You should not add an exception if you are using an internet connection that you do not trust completely or if you are not used to seeing a warning for this server.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 25, 2009, 05:58:27 am
In order to save money, TMM uses a free certificate, signed by cacert.org. cacert's root certificate is not in most browsers, including Firefox, so they report the problem you saw. Check the MD5 and SHA1 hashes of the certificate to ensure that they match those I posted here (http://thementalmilitia.com/forums/index.php?topic=9043.msg240739#msg240739), and install the exception, and you'll stop seeing the problem, until I make a new certificate in March, when you'll have to do it again.
Title: Re: TCF SSL Access
Post by: Get Ready on January 25, 2009, 06:30:33 am
Thanks Bill.
Title: Re: TCF SSL Access
Post by: Apple on January 25, 2009, 10:12:17 am
Secure Connection Failed (http://thementalmilitia.com/wiki/Secure_Connection_Failed)

(No, don't beat yourself up for missing that. It's New™.)
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 25, 2009, 10:34:37 am
Secure Connection Failed (http://thementalmilitia.com/wiki/Secure_Connection_Failed)

(No, don't beat yourself up for missing that. It's New™.)

Thanks to Strange Attraction for making a permanent place to document our free certificate. I'll do my best to remember to update the template (http://thementalmilitia.com/wiki/Template:TMM_Cert_Fingerprint_Signed) he created the next time I update the SSL certificate.
Title: Re: TCF SSL Access
Post by: Apple on January 25, 2009, 12:30:46 pm
Thanks to Strange Attraction for making a permanent place to document our free certificate. I'll do my best to remember to update the template (http://thementalmilitia.com/wiki/Template:TMM_Cert_Fingerprint_Signed) he created the next time I update the SSL certificate.

You're welcome Bill. :sunny:

Anyone care to write the IE section? All I need is a list of the form:
* Do A
* Do B
* Do C
* ...
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 25, 2009, 01:07:13 pm
You're welcome Bill. :sunny:

Ah. I hadn't made the connection. Apple = Strange Attraction. Well met, sir.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 05, 2009, 09:04:17 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Our SSL certificate was set to expire in on 3/20, so I've renewed it.
The new certificate should go live soon.

Serial Number: 428702 (0x68a9e)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Mar  6 02:30:03 2009 GMT
  Not After : Sep  2 02:30:03 2009 GMT

Fingerprint
  MD5:  83:BE:F9:43:67:B3:21:89:6D:0D:8E:2E:3B:32:EF:A2
  SHA1: 07:AC:D0:A1:38:FE:90:C8:81:E3:7F:D7:AB:8F:AD:33:20:5E:29:54

-----BEGIN PGP SIGNATURE-----
Version: 9.7.2.1608

wsFVAwUBSbCQNtim99wXg5awAQigwQ//aaHwFO3oUvAQEucL7nWpHRLnD3iw3D2P
uQIiROji/Am/JWp7RMA9zXdBIKq+2R4cvVltVzYSjOETuvR7mGg8zxSi4Upci0d/
ctW1ZeWotbM0uQ327egOjZkToG5iVPd6SNLX1akyXz+fBfWvMlNgJCCgXpXrOtpx
VxzrGgcJniTEds16PxeCwxx7FC0leUdLa6KyWbeXnUIHE1yBMba0X7DWdvsqnUJz
qPUHH28J5jQboe16aoXLN35yTfSCTVxItwuUDWVY2nsmlJxnHpZLzilASFNylACu
l9jhIDbaINeyB8ErSfFcby3XZC1AugfxAV5xhjTJOQMR3Xh0id6GsWLJlj234u6J
cket+ZGGgOl0iDnWkdBZ4SHi8JpdT5mEXVebRUBm4V5kiTqDEtXhwDWujegodDzm
Ss+r5WbO9B6pURxzBdP/HPMtT75VH8TlWTr7v46QovQeL888m+oB7czXu3P+BtLW
ure00xM5tMhxdwnSoqS7pBdQaZ94dD4Ie0ro4TR5cAqURYB9CAf2J1dYHe/rVRms
zdWP1GlnBaFSbuoGVjkPqAzTKKSeC0Qzwhkxtz3akAQ/wZUXxeqc4A9pXk/tv7gh
AnCFwtnSMJfUcFMrsufbrdv6zpsXw6RiIG2oxqnaaExLH4RBT/soXjJ3u6NCh8oH
hfrxpahIJRs=
=T62+
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: da gooch on March 06, 2009, 09:25:39 am

It went live some time this morning or last night Bill.
{I had to go through the Firefox "add an exception" rig-a-ma-role to get on.}

Which is fortuitous as today is March the 6th and on this date 173 years ago the Alamo became a Texas Shrine and her defenders strode into History.

BTW 

THANK YOU
and Apple   And all of the others that work together to keep this site up and running.

Many thanks,

gooch

Title: Re: TCF SSL Access
Post by: Apple on March 10, 2009, 07:20:29 pm
Thanks for the feathers Gooch, but for the record, I'm not involved with running the site in any way, shape or form. I just try to help out where I can (In a non-running-the-site kind of way.)

Thanks for the timely update Bill. I've updated the template.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on September 02, 2009, 07:39:20 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Our SSL certificate expired yesterday. I've renewed it, and asked the Site5
folks to update. They should do that soon. Below is the information on the
new certificate.

Serial Number: 483499 (0x760ab)

Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
    Not Before: Sep  2 12:18:35 2009 GMT
    Not After : Mar  1 12:18:35 2010 GMT

Fingerprint
  MD5:  30:7B:E5:41:F9:F5:A5:D9:44:FF:D2:AB:2A:86:ED:07
  SHA1: 94:88:03:4C:BD:E0:46:B7:ED:2B:35:43:4F:87:FF:7A:43:CD:05:6A

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0.500

wsFVAwUBSp5nVNim99wXg5awAQhlXA//ZuuHcnmkR8DjcgelRK2ym25VGWolfOSX
/ez3MkRZESDhNf03q9yl21ed+i8bfufNSdn69kogkxw99oTkQJ/XJp7W9YkIwEdt
4Qk4VjCzRnGNUEaI7K8zdJpC6Aw6tkUp8tCb+GIzCAjy4cEkcSpvpAwriIlSZ8oQ
hyYzTXuGytL1xwJZ3yttFrnBrGPzfpZCzwdytl/anTXHydi1hNuFA9xQJr077rd4
lLrhDNlGbekISuYIJ4bbvy72z64tPSuXa/DgWNCE3ZDszY4r8s9HVKoL9sb8cJic
m7Z7t1y+PFV2xqCSQQ9Um1wDe5pvwgEXqSkzGZDWPDaJ/RTz2c0Wc/CMxjdftPW7
kIrRvxW2TDQ3S0pE8n0MSXD4aGhihaqLy8Okp6Pgj6+OgsyB0yDFQocNzaCTunji
OVQa7W5wqeU84kOq8n5eOkSmwwJro6NZlpDLO3xl27L1/yB7t5TCqClXHRCcu1QS
Ee1jGyQg4KX2JWGbJ9mwwRUiL2hast2I6u4xwFwp6FaSGjumq8WiHHL2bGmxkZQV
GPX3EB8OevQrJTU2w9/aqBvKSv9EOpAeuVh66nKZxdKP8rnFtRzLQeZNBUMZXE4g
1DAbOYkGefpziAQJdnjBBRDeFycD1useLZeN5Vs2rqLKyg1N9EECu7T3/K3a9vql
RivTq4a+QSc=
=R5gG
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: da gooch on September 02, 2009, 09:10:10 pm
Yep ...
I noticed and told Firefox to "Bring it on" ...
well ok  accept is the real answer but it's not as Brazen and Bold and boy am I struggling for these words ...
I think I'll quit while I'm a  head ....  :ph34r:   :rolleyes:
Title: Re: TCF SSL Access
Post by: katrinebonn on February 26, 2010, 08:19:33 pm
debra, I visited the live links you posted on your first post on this thread and I have found the first as not online and the other as, I think, another web page.  Can you post the working live link of the web page you are discussing?

Edit: spam link removed.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 03, 2010, 09:12:17 am
I appear to have allowed our SSL certificate to expire (March 1). Will get a new one soon, likely tonite.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 04, 2010, 04:32:44 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Our SSL certificate expired on 3/1, so I've renewed it.
The new certificate should go live soon.

Serial Number: 544199 (0x84dc7)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Mar  4 10:20:46 2010 GMT
  Not After : Aug 31 10:20:46 2010 GMT

Fingerprint
  MD5:  E6:F0:79:F0:1D:44:C8:F4:78:71:C4:A0:65:9E:69:4B
  SHA1: A4:6C:5F:F9:46:88:6E:E0:23:20:17:27:87:7C:77:7D:DB:26:93:50

-----BEGIN PGP SIGNATURE-----
Version: 10.0.0.2732

wsFVAwUBS4+MF9im99wXg5awAQgN0Q//TZRH4k0x49S+yg2x0CCRGHwr08ngnKwM
gCr+bnNNskuMyhFOOnyycO3noIYxWtuNqMoUxPtU1Z6WhqdWl4wkWP7HT8vVZ18I
R336vpZbNLHPVBB1cyIP6tjxgeIwWycXUIcBQB0uZ5vqIMmPJJkNXqkvwDD5QZAN
XhMTkRyLs+y2mub7zcCImoIcwifC7UoIr7jtemsLWLKX/N7/GRVU8W5DU9OrA1j1
33wAx9C/as1Rd0jKeNjEZpqpS2Bcnef3fb9BrNZtOx9DogcG99gQpD1AGv5fBiYk
QIjipu4uYM6XKb3BT5UXQLOvLafiTorDkY28SXd21jz/yiRP8/YGt+f2LGyYACIT
LGSxx2NGZRKPFQn+2q6FLR1hbrLK77UHkMjrvoOynLjBkDyzYjPH3mvjwrtOm3GP
f9V8lUdbzih2fQ6T/bPMEspjRg6LQQzHZe4JEGsa0tj5f86PRaugOPZRxEumHuNX
vulw/X/Kr0XEqmgfBFnU0khHDXVw7euWkSotcBBl9nQhw8R0yL8XuB5vMxwVdhjT
6xX+Qd2ZuuzQlKv2fDYPbQGPc01NMk2JDbj/10GLWp5ccaPdQL1pzYp4tK3ACHYU
6wPyRXEm5FCPIl0QeRTLxhWoHrfO0FVKn7HjzMYfugSjpNMWCBcRr9XuzZsxs9K/
St6USZE1s9c=
=rbyS
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Bill St. Clair on March 04, 2010, 08:07:21 am
New certificate installed and working (for me).
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 29, 2010, 08:05:23 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expires on 8/31/2010, so I've renewed it. The new
one should go live soon.

Serial Number: 597249 (0x91d01)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Aug 29 12:44:37 2010 GMT
  Not After : Feb 25 12:44:37 2011 GMT

Fingerprint
  MD5:  0D:18:ED:F4:1E:3B:47:29:E6:B1:DE:58:69:70:B4:17
  SHA1: 21:FA:43:6F:E9:27:F3:B6:CB:74:84:6A:59:A9:BC:7F:DA:FD:55:91
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMeloBAAoJENim99wXg5awuA8QAJ22tF5lisMiJOYvNBzSfl7x
iWyxyTOEm92xeAZOkfVjak/uzEKNNOrxlfXIn1d9Lg+B3f3kaECUK2s4MohnQBXn
d7rIWPhmqfT5qL0VwsBretQLuEfPcaWIoRYuT39IPIDW61hBIvcDcyvHjb5eNdG5
yCaWt4Z0XZ7hggr1EcdLxUU3pd75vvIaKGggidCzXJgFIADibQqRcBM5KCPJykdM
U7fzjGESAXL9m76yVYhLZegr7Iv0twKy1o51SDFT2UunOx8VZXxFdwLYc8ezSTPs
6UHM+qf+qhe9VKPlxOUVEpSu/F7gsX3faeLKzQ71ldguMiAjblKgVKG1x1uuz93/
2Tw9xQAnJnkLgc7DWuDd3bFtaNdTR2Q6cLvs1tuUJ47TrR6+VK8op7WkgPWGdjSD
r4/bLopIZDAdYz25f28luPSmXaeNfurTbSCC6VXgVGeY6oYF8BpMix2JsSu7HFSl
oYJ7dGQGyoeaj+62WtBs714NA6JCODAildtG1ncLKlgbweHvwXxZqBCkGRqAjxMu
yDNHuScilXnHr7o1DC6AQXqXmqLGSPJuLMntsGrVjbtMy2iugaUnYiCLcCvsKtre
J1MQm9KvMUwCWzNi9VY8mQGTgHlwOdSxLV9ABFzPk0cz+DT4T9UdL9DE9Np1+8MH
lb6fsQD8fSkfSzMaO6gQ
=CXgt
-----END PGP SIGNATURE-----
Title: Eliminating SSL-related annoyances from Internet Explorer
Post by: wws on January 10, 2011, 06:58:56 am
First off, I don't recommend using Internet Explorer for web browsing. It has historically been a very insecure web browser, famous for allowing viruses to infect your computer. Microsoft may have fixed those problems, and anti-virus software may mitigate them, but I still recommend that you install Firefox or Chrome or Opera, and use those for your web browsing.

If you come here with SSL turned on (https://thementalmilitia.com/forums/), Microsoft's Internet Explorer (IE) will complain every time you first come here about our cacert.org signed certificate. You can tell it to connect anyway by clicking on "Continue to this website (not recommended)" on the "There is a problem with this website's security certificate" page, but that's a bit of a pain. To permanently make the problem go away, you need to import the cacert.org root certificate. Do this by clicking on http://www.cacert.org/certs/root.crt and telling the resulting dialog to "Open" the file. You may have to verify that on another dialog. On the "Certificate" window that pops up, click "Install Certificate...", click "Next", Select the "Place the certificate in the following store" radio button, click "Browse...", single-click the "Trusted Root Certification Authorities" folder, click "OK", click "Next", click "Finish", and click "Yes" on the resulting "Security Warning" dialog.

Another problem you'll encounter is that on every page load, IE will complain about unencrypted content. That's the Google ads on every page. To get rid of that warning, choose "Internet Options" from the "Tools" menu, click the "Security" tab in the resulting dialog, click the "Internet" zone, scroll down to "Display Mixed Content" in the "Miscellaneous" section, and click either "Disable" or "Enable", and click "OK" twice. If you "Disable" content you wont' see the Google ads, neither will you help to pay for the site by viewing them.

I wrote these instructions in Internet Explorer 8 in Windows Vista. The dialogs may be slightly different in different versions of IE and Windows.
Title: Re: TCF SSL Access
Post by: MamaLiberty on January 10, 2011, 07:45:42 am
Thanks. :) I find the google ads very entertaining sometimes... and often click onto them just for fun. I run linux, so am not worried.  :laugh:
Title: Re: TCF SSL Access
Post by: Elias Alias on January 11, 2011, 08:01:43 am
Truly appreciated, wws. Thank you.
Salute!
Elias
Title: Re: TCF SSL Access
Post by: Bill St. Clair on February 25, 2011, 08:15:48 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired today, 2/25/2011, so I've renewed it. The new
one should go live soon.

Serial Number: 645888 (0x9db00)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Feb 25 13:56:50 2011 GMT
  Not After : Aug 24 13:56:50 2011 GMT

Fingerprint
  MD5:  08:60:FC:A5:73:82:FA:39:F8:45:88:41:D9:7B:6A:4C
  SHA1: 76:4E:8E:0F:03:58:FB:AF:08:4E:E0:46:4E:A7:3C:AA:9A:77:EE:C6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNZ7ldAAoJENim99wXg5awDMsQAJpIEQoFhwdnGbAE/4rHjnHE
jV3HIcok60ewkZD+Ql5hsBfoHn07QzANdjOQcOwkE/BXMk2LUTfW0lpmL6C3vKHb
5iM2RMk4LRsABC/1Nn7y+FIr2j8Hu2MIe7xG2ZF8xg/T2nik1obJRTsGkjacvbZk
C/++BL1rRuaUOGU7QcqFoMqExDtu4Ew0Hdn3rayr1mooNKssabWBg34bWbTtQrsf
4HcPuB0QF+D5x15DOs9H6YmIG7Ub/UIUfogoGGFuVbzTHS2wl910/NpSi8dWqcsU
4g0bEQOJV3H/qUsSE4Jw3YY/0cu/gWicrgGSznXj0Nr604IH+JVcJB6an3kr/nh4
Ua2y7n3cew8GlJFFieXlsl5q7aL7ZY7vDRgmAJrO0J0Csue06EhlDbUgMeeYqBGj
iqq+g2mQ7z+Fe+JzXAes91Ydjr/p9ncDFY8Waw4eJD0/XGbG0dMaxv5QgZspjCrm
PBVJbbSx0T781rXuwsxLaqno5HD3wj/KGIk4+tJXuAbvvNo2vt0pwpIBsp3Gwi12
wLvKmGtPiSUvsHbQwVjlikrkWERNVWed2e4wE3G9m9X4Y/XC7mY5VN6Z6JA3arAa
FxDHh/HGrMvSBhDCw5oH8LHA0KIBw41qTVRd4bMMXZ2fatjicl5U4OE+LuMQ6gZU
Pi+C/HyddawxHvqBA559
=OQvb
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Elias Alias on February 25, 2011, 09:30:55 am
Awesome, Bill. Thank you.

Salute!
Elias
Title: Re: TCF SSL Access
Post by: Elias Alias on March 08, 2011, 11:45:33 am
Thanks for your information. I am a new buddy.
I like for your information. Please transferring in
letest information.

Ah, yes indeed!
Title: Re: TCF SSL Access
Post by: MamaLiberty on May 27, 2011, 06:57:19 am
Thanks for your information. I am a new buddy.
I like for your information. Please transferring in
letest information.

Ah, yes indeed!

That was a spambot, Elias. Nuked 'em. :)
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 20, 2011, 09:18:13 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expires on 8/24/2011, so I've asked Site5 to
renew it. The new one should go live soon.

Serial Number: 694738 (0xa99d2)645888 (0x9db00)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Aug 20 12:39:09 2011 GMT
  Not After : Feb 16 12:39:09 2012 GMT

Fingerprint
  MD5:  E6:AB:E8:4C:AE:FC:24:92:4F:CC:6B:1A:3E:15:6E:4B
  SHA1: 3F:DF:43:F0:C5:E6:2B:C0:6C:0D:D0:9E:39:DB:F7:04:55:27:05:42
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOT7myAAoJENim99wXg5awwy8P/jhLQ1jf63ykhz3HpSTPRcwk
ZShYYuxNTjb+tI/V1BXzBh1NEvOE5Qnsd6vSly4tkgMnb2M9L+VqbQFYKnCwlp0f
hCgIlSBgeQ/GC2Pq3Sn/GJCIPz4QbHvSGsMySsCK6/FbIcs/osc6iT+7UxJVsHqY
GvKE/SZTfjVkHXtTyGKmVhgEl+H6W4ViBJkJV9mwBodV91MrdFqJ9em09dRmrefp
k4N6eD3AzcWX91AdMVmyYe45rtR58RDcyaOwYHz76X1lPQSWob+A4XK2kPUsdWH2
H17ap07Y1NDVrXBrPRkO1ONJDX7yWX1+I08NuIaJybY9kG6rO1zvB5orcLulyTjo
g7s7koQKNzvjfppmpMB9fjbhKqL12N+L1g4xS1zLQY8Rn9jBkDpGF5Ogloq6vIzf
o5sCSoMs7auy5yQlzSLv6GAvIjAM+HgT8c/x5R4H8qkJF32egb+Anig7BOlrt3NL
TMTGhwHYVGJEFW5YQ52Zf5sQWh8weRqqINIWQHp0zRr7ATFE8cQtfWpRcpTaV1JP
TcefxqVkgt+wuIgutUllSkMFln2uPKKRW9WeB2icBVyYTdrOA7PgZfKDHlJqFSxD
6ao3SmSK4sgL/5AnaxhkMhJng0EwQw0ULhw5gkxCEJxon5ivKIJVUHMP9ZzKLBVT
p+MjNFL9I7SNP7/aH3PP
=KTWR
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: MamaLiberty on August 20, 2011, 09:40:23 am
Ok, I suspect I ask this every time... but I don't know what to do with this. Do I plug in that code somewhere? I'm so dumb about these things.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 20, 2011, 12:40:13 pm
You don't need to do anything, except to know that when the new certificate gets installed, you may need to tell your browser to accept it. If you're serious about security, you'll also check my PGP signature on the message above, and then compare the serial number and fingerprints I included with those for the certificate. But if that's all gobbledygook to you, don't worry about it.
Title: Re: TCF SSL Access
Post by: MamaLiberty on August 20, 2011, 01:06:26 pm
Well, ok... but I occasionally like to learn new gobledegook.  :wub: I'll see what happens.
Title: Re: TCF SSL Access
Post by: mcgeorge on September 05, 2011, 12:01:02 pm
If you have gpg installed you can verify the cert info by doing this (from a Linux terminal) after copying the text into a file named tmm.txt:

Code: [Select]
$ gpg --verify tmm.txt
gpg: Signature made Sat 20 Aug 2011 06:42:10 AM PDT using RSA key ID 178396B0
gpg: Can't check signature: public key not found
$ gpg --recv-key 178396B0
gpg: requesting key 178396B0 from hkp server pgp.mit.edu
gpg: key 178396B0: public key "Bill St. Clair <billstclair@gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   2  signed:  11  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:  11  signed:   9  trust: 8-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 2  valid:   6  signed:   2  trust: 6-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-11-09
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --verify tmm.txt
gpg: Signature made Sat 20 Aug 2011 06:42:10 AM PDT using RSA key ID 178396B0
gpg: Good signature from "Bill St. Clair <billstclair@gmail.com>"
gpg:                 aka "Bill St. Clair <wws@clozure.com>"
gpg:                 aka "Bill St. Clair <bill@billstclair.com>"
gpg:                 aka "Bill St. Clair <billstclair@rayservers.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ADCC 86B5 6ED3 0F05 9463  1A97 D8A6 F7DC 1783 96B0

As long as you trust the source for Bill's key you have now verified that he has signed the new certificate info. You can then go into your browser's certificate viewing dialog and confirm that the details match the certificate your browser has loaded. The most important detail to confirm is the Fingerprint.

Title: Re: TCF SSL Access
Post by: da gooch on December 30, 2011, 09:15:09 pm
You don't need to do anything, except to know that when the new certificate gets installed, you may need to tell your browser to accept it. If you're serious about security, you'll also check my PGP signature on the message above, and then compare the serial number and fingerprints I included with those for the certificate. But if that's all gobbledygook to you, don't worry about it.

"you may need to tell your browser to accept it."

OK How do I do that in Firefox? [V 3.6.7]

I log on and the security padlock is green up until the last two or three seconds of its loading. Then the red X pops up and the green check goes away.

Where is the magic button that lets me "Allow" TMM - all pages- located?

Thanks Bill,

gooch
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 31, 2011, 08:20:07 am
I'm running Firefox 9.x. Don't think I have any machines running 3.x to try it on, so I can't tell you for sure. If you're seeing the page, though, the red X shouldn't be a problem. If you're not, try clicking on that red X, and navigating through the resulting dialog.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 31, 2011, 08:23:44 am
Another possibility is to go to http://www.cacert.org/index.php?id=3 . Click on the "Root Certificate (PEM Format)" link (http://www.cacert.org/certs/root.crt). A dialog should come up. Check "Trust this CA to identify web sites", and click "OK".
Title: Re: TCF SSL Access
Post by: MamaLiberty on December 31, 2011, 10:21:31 am
Another possibility is to go to http://www.cacert.org/index.php?id=3 . Click on the "Root Certificate (PEM Format)" link (http://www.cacert.org/certs/root.crt). A dialog should come up. Check "Trust this CA to identify web sites", and click "OK".

Which one? I don't see one for linux...

Class 1 PKI Key
Click here if you want to import the root certificate into Microsoft Internet Explorer 5.x/6.x
Root Certificate (PEM Format)
Root Certificate (DER Format)
Root Certificate (Text Format)
CRL
Fingerprint SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
Fingerprint MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Class 3 PKI Key
Intermediate Certificate (PEM Format)
Intermediate Certificate (DER Format)
Intermediate Certificate (Text Format)
CRL
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 31, 2011, 01:11:12 pm
As I said, click on "Root Certificate (PEM Format)", which appears only once. Or use the link to root.crt in my previous post. There's a special IE link probably because IE is broken in that regard. But the link should work for Mac and Linux.
Title: Re: TCF SSL Access
Post by: ZooT_aLLures on December 31, 2011, 09:13:37 pm
unix/linux/BSD uses PEM
Title: Re: TCF SSL Access
Post by: da gooch on January 01, 2012, 11:48:19 am
Another possibility is to go to http://www.cacert.org/index.php?id=3 . Click on the "Root Certificate (PEM Format)" link (http://www.cacert.org/certs/root.crt). A dialog should come up. Check "Trust this CA to identify web sites", and click "OK".

Done  :thumbsup:

Thanks
Title: Re: TCF SSL Access
Post by: MamaLiberty on January 01, 2012, 12:49:31 pm
I think I did it... quit getting the error message anyway. :)
Title: Re: TCF SSL Access
Post by: Bill St. Clair on February 11, 2012, 08:40:01 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expires on 2/16, so I've renewed it.
The new certificate should go live soon.

Serial Number: 743162 (0xb56fa)
Issuer: O=Root CA,
        OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Feb 11 14:24:26 2012 GMT
  Not After : Aug  9 14:24:26 2012 GMT

Fingerprint
  MD5:  C2:49:AC:31:01:B4:D0:E1:87:B1:91:70:74:8C:1A:CB
  SHA1: 64:29:DE:61:16:4F:A2:D5:C5:C7:FB:37:BB:B9:BC:DB:47:00:38:99
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBAgAGBQJPNn2TAAoJENim99wXg5awADwQALU4W7NQ4dGgSfApB+SRWdNr
bsSj+L13UgAaU6X+FGOXVe497V8ikhxySSpm/EZxDm4faEF/gdGkv36LNKlpFkTf
+gFiREQ/z3AuvjF4uY1odRfXB6GPBUzzQlqDDb0kB7FLw/au4ZjtNmheLlkixL+n
7SgfN1lkZSr45YiShfjyfjIDhBjC5NX8z53y5q8aN85bxo3W/1i3pV1utCochBIv
65M0LUlae7YLCM1WcpeI6Jyn72RIsdc+64ykLTZuplDFkj7r47nqzIoUzK1YgGK5
bhYS6dD/EE1/Crwbp6WrZRDlfPtPH5/bvdOMa8HoU2fzZ0gxnsty4huRCcnt/tMh
JXmdCID5qMPOQX7tys9uzuRTi7HGvJa/oMwwBf5ZOvxPH0gJnDL3a8Ea1hHw3oXq
L+2LY7xptV7EIBqbqqzGqKZ8V2AXCKaD9Kk5nmsToVAPfPkAY8vh4/iS12jO8OuL
I6cGIxzA8g0P2UBukTqInQVViin7s0RkUulCcvIBauGQBfceD10VlSLnrvh8UkEI
vGG3YfPGiKQk8mH5dvV/23ZG5oUTeX2nNNS91pTHfmbzodl86ITiRfM5whi/SeLi
XrlA/fAHAHevUXr55oevDjDQ6PaNz4Ypt9kBvAOKwIa3T7LcBPBjH/Jgkdi3V1Jo
35TMOb2fWUVGM1Kp26++
=RjMW
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Bill St. Clair on February 14, 2012, 09:40:09 am
Site5 has installed our new SSL certificate. Happy encryption!
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 10, 2012, 09:03:52 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired on yesterday, so I've renewed it.
The new certificate is live now.

Serial Number: 793495 (0xc1b97)
Issuer: O=Root CA,
       OU=http://www.cacert.org,
       CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Aug 10 13:46:53 2012 GMT
  Not After : Feb  6 13:46:53 2013 GMT

Fingerprint
  MD5 Fingerprint=45:18:26:D3:05:71:6F:62:8F:49:59:D4:41:ED:57:DC
  SHA1 Fingerprint=C2:BE:2D:4A:D1:0E:7E:FF:F5:95:08:A3:B3:08:17:7C:CF:1F:AA:41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBAgAGBQJQJRS3AAoJENim99wXg5aw2gsP/0zR/sHv08O/XFzu/GYJA1di
WVB2oMV8r9MJW5HjvES1O4aFt3o0s198Cx3uerlQ5+4aMmHafGpqBsADAvuzpwKG
EZc78+rxO1ekFCycwATU15zxQZAn+PUHkKhjcsDSDRCKi07V4V5mLdfq6/ZX7eWf
L+0CvoOO+/R7nOwKiMgGVf657zRoah9kyA2yNF5oUrBhEDZroW2M5TlGSzWACIYd
WNP3bK7cmv8CR6ztl7rsweqWQSUCGtzKGvkhXMXAaXD81JieM/sc/Wh3NW326ZoU
Zus43Vd+jmifAJ/PK/Kzt+gWerrKoG7h2q54WTHREIH0sq073IHTYB36dYlL6Ib0
VKY4+Ch1o/o/LL1lKvIQm2I4y1o2jf1bItewD72tdN/6f8AGyQ7NYMZ9D/ZP7ww7
Ba1umCuXrSFsVysLR1epWqcEl+D4V8s88mf9XpTbpeVKNwBiQubsUKBkEGTwV3qX
AvvV1Cqn/yzXgJjTbT9Y+jYmih5PthPN5nhZvOb599b5DjEH3ijEqA8rO3pWKRgJ
hiSoWk8mhoand/Qwr/oRClf2lC88xpg+uIE7NWtIBdEcfChQr1kw9b3hpSeYARlP
GdBq+yajadq9/7GBfg4M63Wl2a1y1hdD4P/aHvd6dCVAOGeOajbE7GgJsvB298RQ
rkOFLhlLRGaBAPdt+k2h
=EaC8
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: MamaLiberty on August 10, 2012, 09:14:43 am
Thanks... that's what I figured when I got the funny notification. :)
Title: Re: TCF SSL Access
Post by: RagnarDanneskjold on November 03, 2012, 01:17:04 am
Man, it is being a biatch for me on my XP box at home. Firefox apparently has a known issue with the trust this cert button staying greyed out.
And CHrome and IE seem to have identical Certificate applets. You need to import a frickin' file.
I'm presuming I can save the above to a file with a .crt or some such extension.
Title: Re: TCF SSL Access
Post by: RagnarDanneskjold on November 03, 2012, 01:21:39 am
IE says PKCS #12 (.PFX,,P12)
PKCS #7 (,P7B)
MSCS (.SST)
Title: Re: TCF SSL Access
Post by: RagnarDanneskjold on November 03, 2012, 03:32:32 am
Man, it is being a biatch for me on my XP box at home. Firefox apparently has a known issue with the trust this cert button staying greyed out.
And CHrome and IE seem to have identical Certificate applets. You need to import a frickin' file.
I'm presuming I can save the above to a file with a .crt or some such extension.
Another possibility is to go to http://www.cacert.org/index.php?id=3 . Click on the "Root Certificate (PEM Format)" link (http://www.cacert.org/certs/root.crt). A dialog should come up. Check "Trust this CA to identify web sites", and click "OK".
:wav:
Title: Re: TCF SSL Access
Post by: Bill St. Clair on November 03, 2012, 05:31:40 am
Glad you figured that out. I've been tempted to switch to a self-signed certificate, but your experience makes that a bad idea. If only CACert could convince Firefox to include their certificate.
Title: Re: TCF SSL Access
Post by: Adventurer, Explorer, Inquiring Mind. on January 08, 2013, 09:31:35 am
Is this the reason that the site does not actually use default https for all?

On another suggestion, cacert issues aside, I've noticed a lot of people linking to the http side of things whenever they include relative links.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 08, 2013, 09:51:11 am
Yep. The browsers makes an unknown CA Cert look like the end of the world, so if you're not expecting that, you might turn away.

I didn't know you COULD include a relative link. Let's see, here's a relative link (http://index.php?action=post;topic=9043.105) to this post's topic. Doesn't work. Should.
Title: Re: TCF SSL Access
Post by: Adventurer, Explorer, Inquiring Mind. on January 08, 2013, 11:42:57 am
will try something later, this is a placeholder
Title: Re: TCF SSL Access
Post by: da gooch on January 09, 2013, 10:11:09 am
Yep. The browsers makes an unknown CA Cert look like the end of the world, so if you're not expecting that, you might turn away.

I didn't know you COULD include a relative link. Let's see, here's a relative link (http://index.php?action=post;topic=9043.105) to this post's topic. Doesn't work. Should.

It doesn't work for me either Bill.

Is it possible that something is cutting the address down to unusable?

Your link above =
http://www.index.php/?action=post;topic=9043.105

the actual address of this thread = [without ssl]
http://thementalmilitia.com/forums/index.php?topic=9042.105
The actual website [thementalmilitia.com/forums/] is redacted.
Then the browser is told to look for  index.php as a base address.

Is that the Firefox [my browser] or the server programming?
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 09, 2013, 11:11:02 am
The server code is generating html:
Code: [Select]
<a href="http://index.php?action=post;topic=9043.105" .... A relative link would look like:
Code: [Select]
<a href="index.php?action=post; topic=9043.105" ...
But I found out how to do it here (http://www.simplemachines.org/community/index.php?topic=28929.0). Instead of specifying "index.php?topic=..." as the url, you just use "?topic=...". Click "Quote" on this message to see the code for the link below:

relative link to this topic (https://thementalmilitia.com/forums/index.php?topic=9043.105)

And use iurl instead of url to get a link that doesn't open a new window or tab:

relative link to this topic that doesn't create a new browser page (https://thementalmilitia.com/forums/index.php?topic=9043.105)
Title: Re: TCF SSL Access
Post by: Bill St. Clair on January 09, 2013, 11:16:05 am
Nice idea, but the relative URL you type gets translated into an absolute URL before being stored in the database. So it won't show up as http:// for people who are not using encryption and https:// for people who are. Sigh...
Title: Re: TCF SSL Access
Post by: Adventurer, Explorer, Inquiring Mind. on January 09, 2013, 03:37:59 pm
Gotcha, I tried ./forums/index... blah blah blah in my placeholder.  Site is secure enough not to permit directory traversals, though, technically with proper jailing, skipping up and down directories isn't such a big deal, so long as feeding it a ../ doesn't permit it to skip above its jailing directory.

That said, it seems to be a security filter type thing, built into the forum software/scripts, I presume?

I did stuff like that when I first learned CGI scripting.  Sanitized ALL input before storing it to avoid SQL injection/buffer overflow attacks.  I did the scrubbing on the browser side (user) for unintentional malformed data requests and on the server side in case the user used a malformed browser side page (intentional / attack pages) and then did everything I could on the OS side too.  Had occasional slowdowns but no crashes or security breaches from the usage point of view.

Was it extra work?  Yes it was.  Did it pay off in the long run?  Yep, I retired from that field (webshop backend stuff), so to speak, and I still haven't had a single complaint.  And they know my email.  :P
Title: Re: TCF SSL Access
Post by: Bill St. Clair on February 06, 2013, 09:15:54 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired today, so I renewed it.
The new certificate is live now.

Serial Number: 840112 (0xcd1b0)

Issuer: O=Root CA, OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Validity
  Not Before: Feb  6 14:59:53 2013 GMT
  Not After : Aug  5 14:59:53 2013 GMT

Fingerprint
MD5:  53:C5:A5:A1:CF:E6:98:3F:20:FC:45:2B:70:D2:04:4B
SHA1: A9:9A:5A:5E:A0:CE:72:DB:FA:05:A7:72:9E:9D:7C:C8:C7:77:D2:34
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBAgAGBQJREnNnAAoJENim99wXg5awku0P/jFvdhPV7AzZrjaWktKBR4uE
49GGXFAY8/klgt59p6ehGSq3oK9wuin9yNvw5NVEIQ9I8kB1CF4Gkb5Vm/8hnJIo
jEtY0WRIGpksyBcYQade737y723kVuc65y1gDD8toNcsWLOSFLtu0RsfcPBwgbz4
JsVJfnI65DgCsFY2vHGD87DsGGDSGJtsI1Hit6bAhJdVa1sR2mZ/j/FYBFo2ucKV
rOs2MtRMhgf9I5QBMCaghViBAX1kvBTfqOfBM4y13o3b1zKS0rNekNk3GaUrBByO
dahCR/dHCWkxHv31PAtqfUt/X42Vq2kod+2vP425hJI4eXYfEXORwsu4rUX/ZXSj
ArInkp6SNVOXH5OpJN7c39Tf7I9/1x5/5QJ41sBmkxdoL8xJVlvNdEzdVI59SXmH
gn81P4KfsCPBV3JS2YRbdqGvUJrDKLzwnrJrgSxO2K8r0NpenKfCXSzsFwTYtRMR
9sBuSKV7zFnjxYrKM9YlDQTR28WxOoRHrEkagV78Gu4LAvG/buaKHRWRTIrY7l0W
hSK982y920kiGdftVhLxSCgmNHZXzCgLy28ycKQmB5k2LuNWgAfanv5mxTj2me1p
M76iWYbXK+dA8g0KPIiMV1uIgxBxtwhUXAkPBbLfkuVDCD5pJpBlRhtlB1LuOR/K
L3W178yJQHAU89P99Utn
=wHNh
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: MamaLiberty on February 06, 2013, 09:21:45 am
Got it, thanks. :)
Title: Re: TCF SSL Access
Post by: Bill St. Clair on July 07, 2013, 10:13:55 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired in less then a month. I renewed it:

Serial Number: 882465 (0xd7721)
Issuer: O=Root CA, OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
  Not Before: Jul  7 14:58:04 2013 GMT
  Not After : Jan  3 14:58:04 2014 GMT
Fingerprint
  SHA1: 32:B1:4A:F6:E1:56:03:10:01:C6:73:7B:31:CA:24:91:0C:7D:51:46
  MD5:  C2:3F:F7:B5:2B:9B:BA:86:30:59:33:0D:A0:69:E9:75
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBAgAGBQJR2YWiAAoJENim99wXg5aw7L0P/ij/nz/RKpySLci/PDrG6QY4
y10GfebibIYWDcmiWq41UNONe/5ArPiMvCohxoYSqHC9m4JpzF4PaulL8tH6nS0m
25cf4OgP5Rai1zlYq5C/qm+4GDbIs1xcOOLtqLYfmIlveF//XMBjSpJv+M5fjoiv
w7eqdJIEpvuIWk159rQ0MpM8/00EvhA+ejqSX2ZFB6R9uBANB52VbY01Taww3/xu
Jp7WX1Ps0UAbHNKBBDcSUFsbuT2S7ZrkVQb/smMWi+qpwG64HNWPU0bC7DIE0/oo
XlHRjAk/aVNOU+HkHdYieHalFLF2XCg60g7pKOEoZ3f1712UTRhOFkWgj+GmvLZh
HU/i5Cn/y5pIqo4wR8bcZkJLRXAQAaCuE+qH4vo3tuq5Q/xwicxMtgzHgdsHiLX2
PAE2hKGgSfsjEa1YX99jdcn2gcE6FgAg6gbFlehUKPilFct06JdTiJxQw+9v8mE5
3TP6r081soQv4gItiGmQm+XDKMJ9rPBP2RFcfeLcRxX1uZ5QYESoxGdruLuCPJMj
4BhSnVArmnV6+rqk7QpW91wuHhT5wLA95uJPqX95lOMdU3JXYpMb0QGgID+w+8k2
WoH60QYevL58m0xzPyHOATiueyPVKiakgTRJ5jbELpndy/7chT/DptlX4u1vD0Zn
xwNjRgUm56r+7jPgEWv+
=Dg/1
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 28, 2013, 01:51:45 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired in a few days. I renewed it:

Serial Number: 935210 (0xe452a)
Issuer: O=Root CA, OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
  Not Before: Dec 28 19:38:04 2013 GMT
  Not After : Jun 26 19:38:04 2014 GMT
Fingerprint
  SHA1: 7A:AB:24:4B:34:7C:33:96:5D:C4:90:A6:77:09:CF:3A:C6:1A:64:1F
  MD5:  A6:BA:AE:0F:F9:39:C0:D1:DD:F4:FA:AA:6D:99:BE:F8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iQIcBAEBAgAGBQJSvyuLAAoJENim99wXg5awJnsQAIX6hMXDQZyIdj1ulTL/vgen
H0UNS4U3J5NXUsLDH5KPImzvF5dqfzxD/EC5XWMwGH1wIv8SKMeimoYLt8UTmMaw
E7sJXehqngK/+u5l+LydSPojNB2QmVmlpnFiPSTGwYcyXg5b7yjiWLzkpds+7yn3
3dSYc2hT5PRrIpv5MSmQt+Or/LjpyW8KzEIA1sWUK7GPjp2EijaJks5aPRA78NcO
oM4PuSgNTttJ+Z6T31FlQely8xC1mRh/GK8QcY3M6FXtPck+uR+9nW1eYd+Xa6SS
rXGSfNC3ksyP4GVq1vR2a/TdQSYCs/ETMG/Yp3JIMAUW4xeSU15Oaln66znWSlib
ZkwvOmn+ljM6NElcnCWamvF4t8l+jsDosqukec6LwknC802DEykcctKcZeC5x/Mr
lJwqwWNMbV0A+uuESuV7bAaBKyyTiv51s3UbBkQsKGf/fTDudVq1MpStc92mbbH1
pYOZFu9hMSnOXnRIRUbT6d4dX87dKGHK54Nlzgx2zH7f5snyD9oJ0LpLVaKvbmlY
uFMYdclnmyQAxMxb6Tlvg2idAZkUSIsGhxO+/SXp1w6Hkvvh2n8Pmq1x29vBOMWC
vtmnnYgxt7C3Ive5Gs7B62aN0Y5Bm0kTveIzNTLZu/nCmIbqAxbucOciBvepQEuC
fG/Zff5Juogd3dego8qU
=a54m
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Bill St. Clair on June 26, 2014, 03:26:50 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate expired. I renewed it.

Serial Number: 996305 (0xf33d1)
Issuer: O=Root CA, OU=http://www.cacert.org,
        CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
    Not Before: Jun 26 20:15:29 2014 GMT
    Not After : Dec 23 20:15:29 2014 GMT
Fingerprint
  SHA1: 7E:7C:9C:5F:BA:2D:AB:6D:E9:2E:F8:23:05:DF:6E:18:66:D5:68:44
  MD5:  5E:BA:0D:92:E7:5D:19:D0:0E:36:42:40:D6:94:80:68
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJTrIIDAAoJENim99wXg5awrbAP/346mITyf+Bc/S13W60NAG73
crOYZV+IXP2/qB5E68tMC7cWYpYZvFP1CWpsjFFAX6Q/df4IDjSMtwBQ7HKHhzgP
o7UN+1p1UEMxJzmqywlEc7Tu3Vb1+m1a9eTOH9PUhuTHmYZ2agcBBVSZDyM9bgY9
QrEm7O4bIptmBMRVpFby9Bf9cdS4YGtHVTsMnQ7VN+esXs/bZzzQUTYATlH9W+ms
vdY0Yvv6OwpewRjRz+tteDsBKSojsIfznIHGnjRn5yGhCa5sb+LpmmBwjdEqty3v
8Fvt/WGdJQ2mXcponrP2sPdzMVdESjFs06WiHg9Jc7NzI005o5FBpMzDtUM6oYJD
9X+gEBGT74Id8P7Ik/updgh+BLuXkBay9VME4TzpwkewWTHO08RiOnxUQm9CG6M5
CZDqtzOOie5aTm6Zxk4Y7W7KmLDRgcaSVe44TYvhiKYzLgX1S1W07J3POcxmC4wR
7+sdHd4mywNK1VtyhBYsqnH80Tox/j6opEQ/Vlojj7+JZCa2yS8/IPn4lsnF3+NS
bRH6VpMGuomqfV279veP90Vf7tqmqWKr0GCJCf8vdNJaRtMjp3VuLfyrLxG/VYsj
YKGAnfuTnNIE0FZZnOc8DIpSFKlDeLJgX7mbQZDGxdFMTblzOLTjzviutxvLDnCp
ZV2Je2Mfxx+NTLoP0owJ
=KGnR
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: DiabloLoco on June 26, 2014, 03:31:03 pm
Thanks! Keep up the good work Bill! :mellow:
Title: Re: TCF SSL Access
Post by: Bill St. Clair on October 15, 2014, 09:51:58 am
A new SSL vulnerability, POODLE, is in the news. I changed our Apache web server's SSL configuration to mitigate. It no longer supports IE 6, so if you're using that, why?

I used the recommended Apache configuration at https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
I tested it at https://www.ssllabs.com/ssltest/

The testing revealed, no surprise, that our certificate is untrusted. I know that. That's why I publish the certificate information in this thread. That actually makes us MORE secure than certificates signed by random authorities.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 22, 2014, 04:30:06 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our SSL certificate was about to expire. I renewed it.

Serial Number: 1048071 (0xffe07)
Signature Algorithm: sha512WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org,
  CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
  Not Before: Dec 22 22:20:37 2014 GMT
  Not After : Jun 20 22:20:37 2015 GMT
Fingerprint
  SHA1: 3F:89:10:7A:5B:35:19:A8:06:78:F3:22:38:46:38:AB:C5:7D:DE:7D
  MD5:  F1:A3:73:F6:C9:6B:06:2B:25:20:CF:0D:14:A1:90:6F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJUmJtkAAoJENim99wXg5awcCYQAJnhlp3Dd4jTFjuyFYdbcMCM
yhChvAxn6zIYbWsTkXqerIoY2g5qvnul72x99RplMiJQXz2CEYpAl0e5mR5osmsu
1RT1HT4me+WUhexJyxqRRZd/ojyM2GhTxGtE/Z3RNRRCdwUv38QADjW9lyXSB2NL
5AUEaT6JL8suY8M1L3HEVNhSG+eY9HHWIk9vpBKzKTClY+IhWbjBuhDq/HeN1F3G
/wPguZpjC5BRjZpFURblYDRaporNaWNiSpVgaZqAUvJy3bJ0l5/iGdsiJzL61Jks
BjLMvj8NQ75CtN7PT03ltl7lq9MKEmdQcHqZIprIUt2M8xbtBGC41i7NXQagk3iA
rGphQCe4Lp55Fo++CBq0oCoSmeDyoyCG/dxxDGKA+7eECBKrPp6yNayRCXODZW4p
qmw+rvw6HLW68wCAhgch8fv7H2glubcW9c+Q6qwJOVuAdoeqgYadfajtZLkHpVt4
+7hnAsqJWiFK4bNY3Ib+TEVvZ0LRgMztEow+/GsC2NTtV5peebJLa1aO4PfVlmjJ
zSwYvzbN1rsImh6VyjxZpKP1MKNdH1Y81VpL5UpjfuOxiPvsmkyRD4njiwtj+xPQ
IaICgeS6VkO/KZQbh/Hlmm9GlYY/FtC2oimZtFkqRw6bD4GzIcv1qQ9PfR1wGaCX
qjjow5t2jszKege/k6Bw
=ZdbQ
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: Elias Alias on December 22, 2014, 10:34:49 pm
Thank you, Bill.

Salute!
Title: Re: TCF SSL Access
Post by: Bill St. Clair on May 05, 2015, 01:20:23 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I got a new SSL certificate signed by StartCom.
This certificate authority is in more browsers than cacert.org,
so should cause fewer browsers to complain.

Serial Number: 1587764054678957 (0x5a41020775dad)
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,
        CN=StartCom Class 1 Primary Intermediate Server CA
Validity
  Not Before: May  4 20:54:22 2015 GMT
  Not After : May  5 10:11:38 2016 GMT
Fingerprint
  SHA-256: 28:7E:86:E5:7D:88:68:62:0A:E0:F0:3D:A3:4C:7A:EA:
           BD:55:51:98:88:65:28:90:4E:E8:F6:02:A3:82:D7:C3
  SHA1:    1A:3A:4C:B8:94:CD:86:0C:70:2E:B2:BA:47:11:BF:FD:0C:3A:BA:03
  MD5:     43:7D:52:EE:C8:3B:D2:89:1A:1D:3A:70:7D:54:89:55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJVSQnXAAoJENim99wXg5awKmIQAJ2b9VKu4JlckWevyWhyw5wE
zD5O2upUrHqyqA1PS2S36BCx5an+Dzkk9AGzEVTKyyRZ30SgT92Ai7kiqrhPQsRb
cFOeoWCAS3iCFzMteasp2BnbuMSGIOASy3JYUGXPnjabpMKAONS/BMoTO6jBD1+t
CTqccfec3sbH3JFJ5nSm8gUSkKjMqfaRZYIy38rjdPMSQhhsdD0giMaIx4D9u0fL
PlijtNmbtGIolL4C+BFc/yWKhCd8RXG71J1Uueg2B3agGdzGN+qsaRGpb0A9vhow
KtsZIKLch8uOLx2xQd3BEa1LgDDgcbZRVQ+XMBK4QVjz4eg77nX+UYWzQ1xWPySI
V7EoXjJv2hg9SzaS+E8wJNgPBmGKc3MeMDGEocDOhXZtNqlYjd8LWtQAHq5ABlyl
Jw8NS2ybM7DncYTZ+fSuEe52rfEy931izqlDw+lnpAlTvFjUDIxdBKEZmpqSOufO
JmC2S5C9WKJvCcuQPiccNbKwzHvRuTWHxaML1UwbyfXi9FQz2cTDICS587/SSj0H
shSWrZ6jLW+wulibtxlkKCRq8SWOKeZvNDKgR/8M9sjTZWNIjPsdIlh5u4KibPNp
2T2PJ/vCVbFwM/iPwUEXU0b1NWIiY3CAEW9pGq1reWoNHRuCyUwb6v0oP7EaTpVr
Ygjlt9+nACPNFMx54Vho
=IxIW
-----END PGP SIGNATURE-----
Title: Re: TCF SSL Access
Post by: da gooch on May 07, 2015, 08:39:20 am
Well Done Bill.

We rely upon your expertise for our connection.
Thank You.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on May 05, 2016, 06:48:55 am
Back in April, I switched to https://LetsEncrypt.org for our SSL certificates. I only updated the cert for secure.thementalmilitia.com at that time. The one for thementalmilitia.com and www.thementalmilitia.com just expired, which I noticed when I attempted my daily view of new posts on the wiki. I updated those, too, with LetsEncrypt. Easiest SSL maintenance I've ever seen, once you figure out how to use it. And totally free.

I used to post here a signed version of the certificate details, every time I renewed. There was one member who explicitly tracked all SSL certificates in his browser, rather than relying on a certificate authority signature. If there is still someone who cares about that, let me know in this thread, and I'll start doing it again. If you don't know what I'm talking about, don't worry about it.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on July 17, 2016, 06:38:22 am
I updated the LetsEncrypt SSL certificates for thementalmilitia.com, eliasalias.com, and thementalmilitia.net. This is supposed to be as easy as running the following, logged in as root:

Code: [Select]
letsencrypt renew
but I had made the root-local "letencrypt" script do the wrong thing, because it was the right thing when I first requested the certificates, and it took me a little while to figure that out. Next time, it WILL be that easy. I could make a cron job to do it automatically, but I like keeping my eye on it more closely.
Title: Re: TCF SSL Access
Post by: MamaLiberty on July 17, 2016, 07:19:15 am
but I like keeping my eye on it more closely.

And I, for one, am SOOOOO glad you are keeping an eye on it.  As for me, I didn't understand anything else you said. LOL
Title: Re: TCF SSL Access
Post by: Bill St. Clair on December 20, 2016, 02:18:24 pm
Responding to an email warning of impending expiration, I renewed our SSL certificate again. First, I updated to the newest version of LetsEnrypt. All went smoothly. It expires next on March 20 (three months from now).
Title: Re: TCF SSL Access
Post by: Bill St. Clair on August 06, 2017, 05:26:44 am
I updated the SSL certificate (likely twice since my last report). It now expires on November 4. Free thanks to LetsEncrypt.org.
Title: Re: TCF SSL Access
Post by: Bill St. Clair on July 04, 2018, 09:09:41 am
I updated the SSL certificate (again twice since my last report). It now expires on October 2. Free thanks to LetsEncrypt.org.
Title: Re: TCF SSL Access
Post by: Elias Alias on July 06, 2018, 04:48:28 pm
You are awesome, Bill.
Thank you.
Salute!
Elias Alias