0 users browsing Discussion. | 12 bots  
    Main » Discussion » Board feature requests/suggestions
    Pages: First Previous 12 13 14 15 16 17 18 19 20 21 22 Next Last
    Posted on 19-08-16, 16:01
    Dinosaur

    Post: #487 of 1282
    Since: 10-30-18

    Last post: 4 days
    Last view: 23 hours
    I... didn't noticed.

    But then, I'm on Seamonkey, a browser where the obsession is not at the security theatre, but actually getting the next version released.

    BTW: the random page load delays are still there, particularly at the Discussion board. And since I'm now forced to read this From My Cellphone™ thanks to our benevolent phone and ISP company, it gets incredibly confusing (is the delay caused by the site? by our shittyass 3G/4G networks?)

    Not that I care anymore, but I guess a bug is still a bug?

    Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™
    Posted on 19-08-16, 16:05
    You read my title. That's enough social interaction for one day.

    Post: #348 of 598
    Since: 10-29-18

    Last post: 86 days
    Last view: 11 hours
    If I knew what caused the delays, I would gladly fix them. I actually thought I'd fucked something up real bad after the TLS version bump and it took *that* long to test!
    Posted on 19-08-16, 16:17

    Post: #191 of 210
    Since: 10-29-18

    Last post: 1638 days
    Last view: 1610 days
    The website is always really snappy for me, here.
    Posted on 19-08-16, 17:26 (revision 1)
    Post: #253 of 426
    Since: 10-30-18

    Last post: 261 days
    Last view: 1 day
    Posted by Kakashi
    The website is always really snappy for me, here.

    Often (not always) slow for me.

    AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64
    Posted on 19-08-16, 17:42
    Ask me about SCI

    Post: #349 of 598
    Since: 10-29-18

    Last post: 86 days
    Last view: 11 hours
    You'd think considering where the server is physically located it'd be fast for me. It's not. Not always. Even my dead-simple frontpage sometimes takes remarkably long to load.
    Posted on 19-08-17, 14:10
    Stirrer of Shit
    Post: #577 of 717
    Since: 01-26-19

    Last post: 1525 days
    Last view: 1523 days
    Isn't this just the MySQL issue though?

    On the topic of SSL: I often get SSL warnings when browsing here, since the certificate is sometimes signed by an unknown authority. I get them all the time, so I've been conditioned to just click through them. I only ever get them with Tor Browser, so it might just be that they have an outdated certificate store.
    (no, I am not getting MITM'd, it only happens on some sites and it persists even if I do CTRL-SHIFT-L, and furthermore any exit node that did this would get blacklisted real fast)

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-08-17, 16:40
    Post: #77 of 202
    Since: 11-01-18

    Last post: 422 days
    Last view: 55 days
    I'd go with outdated store... maybe update your tor browser?
    Posted on 19-08-18, 07:55
    Stirrer of Shit
    Post: #581 of 717
    Since: 01-26-19

    Last post: 1525 days
    Last view: 1523 days
    It is up-to-date, at least as much as TBB can be. It's the equivalent of ESR 60.8.
    But extremely odd still. Wouldn't a security-critical software want to maintain a really fresh cert store?

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-08-18, 08:38
    Full mod

    Post: #320 of 443
    Since: 10-30-18

    Last post: 863 days
    Last view: 60 days
    Posted by sureanem
    I often get SSL warnings when browsing here, since the certificate is sometimes signed by an unknown authority. I get them all the time, so I've been conditioned to just click through them. I only ever get them with Tor Browser, so it might just be that they have an outdated certificate store.
    (no, I am not getting MITM'd, it only happens on some sites and it persists even if I do CTRL-SHIFT-L, and furthermore any exit node that did this would get blacklisted real fast)

    Next time it happens, poke around in the certificate details and see what the certificate chain looks like, and then take a look again when it works fine.

    This specific website use a certificate from Let's Encrypt that's signed by "Let's Encrypt Authority X3", which in turn is signed by "ISRG Root X1" (Let's Encrypt's root cert) and "DST Root CA X3" (the root cert of IdenTrust, an existing for-profit CA). My Firefox has "Let's Encrypt Authority X3" in its trusted cert store, so it automatically trusts this site. However, older browsers don't have the Let's Encrypt cert in their store, so sites should be configured to serve up both their own cert, and "Let's Encrypt Authority X3", and then older browsers can follow the chain to "DST Root CA X3" and everything still works.

    This site *doesn't* serve up the intermediate certificate, which doesn't matter for modern, up-to-date browsers, but it causes that "This server's certificate chain is incomplete. Grade capped to B." message from SSL Server Test, and I wonder if it causes your SSL warnings too.

    On the other hand, apparently the Let's Encrypt certs were added to Firefox in version 50, which is over a year before your ESR 60. So who knows what the heck's going on. Maybe it really is an MITM, even if not a malicious one.

    The ending of the words is ALMSIVI.
    Posted on 19-08-18, 14:25
    Stirrer of Shit
    Post: #583 of 717
    Since: 01-26-19

    Last post: 1525 days
    Last view: 1523 days
    If it is MITM, I'd reckon they'd get caught pretty quickly. It's trivial to run a script that tries to connect to some site across all exit nodes and see which ones mess with the cert, report it, and get them banned. And it happens across several nodes, so I wouldn't think that's it. Right now it works fine, so it's very possible they fixed it.

    ...I could have sworn I took a screenshot of it, but apparently not.

    The current hierarchy is DST -> LE -> helmet, so are you sure it doesn't follow it?

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-08-18, 16:23
    Stirrer of Shit
    Post: #584 of 717
    Since: 01-26-19

    Last post: 1525 days
    Last view: 1523 days
    OK, now it gave me the error again. "Certificate Hierarchy" just contained "helmet.kafuka.org," SHA-256 fingerprint was "B5:92:85:CD:89:16:38:D9:3B:31:49:22:F6:36:CA:59:10:7A:50:BB:9F:54:30:93:5A:12:11:06:18:3B:74:79,", issuer was "Let's Encrypt Authority X3," and Certificate Authority Key Identifier was "a8 4a 6a 63 04 7d dd ba e6 d1 39 b7 a6 45 65 ef
    f3 a8 ec a1," which by all accounts seems to be Let's Encrypt.

    The error in boldface on top is, "Could not verify this certificate because the issuer is unknown."

    Here's the certificate, but I wouldn't think it's been tampered with:


    ...And after a few minutes of looking stuff up, I opened the certificate info box up again. It showed up as "Verifying certificate...," and then marked it as valid, with a filled in hierarchy and everything. So I would guess it tried to fetch the intermediate certificates from the URL in the certificate, but it took them some time.

    When I go to about:preferences#privacy and open the Certificate Manager, it indeed does not show Let's Encrypt, but it does show DST Root CA X3.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-08-19, 07:40
    Full mod

    Post: #322 of 443
    Since: 10-30-18

    Last post: 863 days
    Last view: 60 days
    Yeah, so this site is serving up its own cert (signed by Let's Encrypt), but the browser for whatever reason doesn't know about Let's Encrypt.

    I'm very surprised that any up-to-date browser in 2019 doesn't automatically trust the Let's Encrypt cert, and even more surprised at the idea of browsers downloading plausible-looking certs, but apparently that's a thing that can happen.

    Actually, now that I think about it, maybe between the time that it broke and the time that it worked, you happened to visit another Let's Encrypt-secured website that *did* provide the intermediate cert, and the browser cached that somewhere so it was available the next time you visited this site. And then when you shut down the browser, it clears all its caches and the problem resurfaces.

    I guess we can test that hypothesis:

    - Restart your browser
    - Visit https://helmet.kafuka.org/
    - Confirm that the site is not trusted
    - Restart your browser
    - Visit https://lobste.rs/ (a Let's Encrypt-protected site that does serve the intermediate)
    - Confirm that the site is trusted
    - Restart your browser
    - Visit https://helmet.kafuka.org/
    - Confirm that the site is still not trusted
    - Visit https://lobste.rs/
    - Confirm that the site is still trusted
    - Visit https://helmet.kafuka.org/ again
    - See if the browser trusts it now

    The ending of the words is ALMSIVI.
    Posted on 19-08-19, 17:31
    Stirrer of Shit
    Post: #587 of 717
    Since: 01-26-19

    Last post: 1525 days
    Last view: 1523 days
    Yes, that is what happens. Except for the part where it sometimes randomly works if you directly navigate to it with a clean browser, and sometimes randomly begins to work despite loading no other websites. It seems like it works more often to load it from bookmark than to go to helmet.kafuka.org, go to bboard/, and then click the HTTPS icon. But this could just be spurious/superstition.

    It has to verify them by hash, so I'd say it's quite secure.

    The certificate does include URL of the parent certificate, so it could be that it tries to fetch it based on my connection speed, which is random, which causes the non-deterministic behavior. That could explain why it sometimes loads instantly.

    Another hypothesis is that some post contained an embed going to a Let's Encrypt secured page complete with proper chain, that forces a cert download, boom, complete chain. I think this is what happens.

    To reproduce:
    1) open TBB
    2) go to https://helmet.kafuka.org/bboard
    -> red sometimes, green sometimes
    3) add temp exception (if green, make new identity and try again)
    4) mess around in options, refresh page, etc
    -> nothing happens, still orange
    5) open all threads from last post in new tab
    6) "View certificate"
    -> Currently verifying...
    -> green

    But the big mystery is why it sometimes DOESN'T show up as red.

    Man, to hell with SSL. How many people get false impressions of security from the magic green lock? How many people get Pavlov'd into clicking through all warnings? (see: Windows executable signing) And most importantly, why tolerate this atrocious single point of failure? We're not far out from seeing HTTP getting the same warnings as HTTPS with self-signed cert does, and then blocked outright eventually (where there is no override button and you have to go into about:config). Then maybe ISPs will block it, like they did for SMTP, but I doubt it (after all, our Chinese IoT makers must access their APIs)

    And after that, we will have a complete oligopoly. Good luck publishing such tracts if the CA cartel doesn't allow them. They've null-routed entire ASNs for hosting legal but controversial websites, so why wouldn't refusing to issue a certificate - an active rather than passive action, most definitely within their prerogative - be a valid action likewise?

    Completely unironically, this is a problem that The Blockchain™ solves in a cheap, efficient, and safe manner.

    /rant

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-08-26, 15:54
    Post: #17 of 21
    Since: 11-08-18

    Last post: 1016 days
    Last view: 1016 days
    I'm not sure if this is related to the HTTPS discussion above, but as of this morning I'm getting a "Website With Harmful Software Warning" whenever I visit this website in Safari.

    Safari supposedly uses Google Safe Browsing for this warning...
    Posted on 19-08-26, 17:21

    Post: #193 of 449
    Since: 10-29-18

    Last post: 9 days
    Last view: 15 hours
    Same for me with Firefox; had to use Opera.

    My current setup: Super Famicom ("2/1/3" SNS-CPU-1CHIP-02) → SCART → OSSC → StarTech USB3HDCAP → AmaRecTV 3.10
    Posted on 19-08-26, 17:47
    Is watching you clop clop clop

    Post: #366 of 598
    Since: 10-29-18

    Last post: 86 days
    Last view: 11 hours
    Posted by Wowfunhappy
    as of this morning I'm getting a "Website With Harmful Software Warning"
    That's a known issue, nothing is actually wrong with the site or anything served on it.
    Posted on 19-08-27, 00:53
    Custom title here

    Post: #659 of 1150
    Since: 10-30-18

    Last post: 6 days
    Last view: 1 day
    Posted by Kawa
    Posted by Wowfunhappy
    as of this morning I'm getting a "Website With Harmful Software Warning"
    That's a known issue, nothing is actually wrong with the site or anything served on it.
    That's just what a malware provider woold say!

    --- In UTF-16, where available. ---
    Posted on 19-08-27, 01:00
    Not Richard Pryor

    Post: #371 of 598
    Since: 10-29-18

    Last post: 86 days
    Last view: 11 hours
    Visual Basic 6 and UPX smell bad to certain antivirus programs 🤷
    Posted on 19-09-05, 12:20
    Post: #268 of 426
    Since: 10-30-18

    Last post: 261 days
    Last view: 1 day
    I guess I shoulda made my comment about the Quote system here, in any case thanks for adjusting the Quote visuals to make it easier to see who said what.

    Here's a feature request: Add a "Cancel" button when making posts and editing posts, the button should obviously take you back to the previously visited page.

    AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64
    Posted on 19-09-05, 12:34
    Custom title here

    Post: #675 of 1150
    Since: 10-30-18

    Last post: 6 days
    Last view: 1 day
    Posted by Nicholas Steel
    I guess I shoulda made my comment about the Quote system here, in any case thanks for adjusting the Quote visuals to make it easier to see who said what.

    Here's a feature request: Add a "Cancel" button when making posts and editing posts, the button should obviously take you back to the previously visited page.
    Why not just alt-left? Or click the thread title above the reply/edit box? Or the back button in the address bar?

    --- In UTF-16, where available. ---
    Pages: First Previous 12 13 14 15 16 17 18 19 20 21 22 Next Last
      Main » Discussion » Board feature requests/suggestions
      Kawa's Github