tomman |
Posted on 19-08-16, 16:01
|
Dinosaur
Post: #487 of 1316 Since: 10-30-18 Last post: 1 hour Last view: 1 hour |
I... didn't noticed. But then, I'm on Seamonkey, a browser where the obsession is not at the security theatre, but actually getting the next version released. BTW: the random page load delays are still there, particularly at the Discussion board. And since I'm now forced to read this From My Cellphone™ thanks to our benevolent phone and ISP company, it gets incredibly confusing (is the delay caused by the site? by our shittyass 3G/4G networks?) Not that I care anymore, but I guess a bug is still a bug? Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™ |
Kawaoneechan |
Posted on 19-08-16, 16:05
|
SHOO-BE-DOO SHOO-SHOO-BE-DOO
Post: #348 of 599 Since: 10-29-18 Last post: 195 days Last view: 8 hours |
If I knew what caused the delays, I would gladly fix them. I actually thought I'd fucked something up real bad after the TLS version bump and it took *that* long to test! |
Kakashi |
Posted on 19-08-16, 16:17
|
Post: #191 of 210 Since: 10-29-18 Last post: 1876 days Last view: 1848 days |
The website is always really snappy for me, here. |
Nicholas Steel |
Posted on 19-08-16, 17:26 (revision 1)
|
Post: #253 of 426
Since: 10-30-18 Last post: 499 days Last view: 14 days |
Posted by Kakashi Often (not always) slow for me. AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64 |
Kawaoneechan |
Posted on 19-08-16, 17:42
|
I said, put the bunny back in the box!
Post: #349 of 599 Since: 10-29-18 Last post: 195 days Last view: 8 hours |
You'd think considering where the server is physically located it'd be fast for me. It's not. Not always. Even my dead-simple frontpage sometimes takes remarkably long to load. |
Duck Penis |
Posted on 19-08-17, 14:10
|
Stirrer of Shit
Post: #577 of 717 Since: 01-26-19 Last post: 1763 days Last view: 1761 days |
Isn't this just the MySQL issue though? On the topic of SSL: I often get SSL warnings when browsing here, since the certificate is sometimes signed by an unknown authority. I get them all the time, so I've been conditioned to just click through them. I only ever get them with Tor Browser, so it might just be that they have an outdated certificate store. (no, I am not getting MITM'd, it only happens on some sites and it persists even if I do CTRL-SHIFT-L, and furthermore any exit node that did this would get blacklisted real fast) There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this. |
funkyass |
Posted on 19-08-17, 16:40
|
Post: #77 of 202
Since: 11-01-18 Last post: 660 days Last view: 16 days |
I'd go with outdated store... maybe update your tor browser? |
Duck Penis |
Posted on 19-08-18, 07:55
|
Stirrer of Shit
Post: #581 of 717 Since: 01-26-19 Last post: 1763 days Last view: 1761 days |
It is up-to-date, at least as much as TBB can be. It's the equivalent of ESR 60.8. But extremely odd still. Wouldn't a security-critical software want to maintain a really fresh cert store? There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this. |
Screwtape |
Posted on 19-08-18, 08:38
|
Full mod
Post: #320 of 443 Since: 10-30-18 Last post: 1101 days Last view: 172 days |
Posted by sureanem Next time it happens, poke around in the certificate details and see what the certificate chain looks like, and then take a look again when it works fine. This specific website use a certificate from Let's Encrypt that's signed by "Let's Encrypt Authority X3", which in turn is signed by "ISRG Root X1" (Let's Encrypt's root cert) and "DST Root CA X3" (the root cert of IdenTrust, an existing for-profit CA). My Firefox has "Let's Encrypt Authority X3" in its trusted cert store, so it automatically trusts this site. However, older browsers don't have the Let's Encrypt cert in their store, so sites should be configured to serve up both their own cert, and "Let's Encrypt Authority X3", and then older browsers can follow the chain to "DST Root CA X3" and everything still works. This site *doesn't* serve up the intermediate certificate, which doesn't matter for modern, up-to-date browsers, but it causes that "This server's certificate chain is incomplete. Grade capped to B." message from SSL Server Test, and I wonder if it causes your SSL warnings too. On the other hand, apparently the Let's Encrypt certs were added to Firefox in version 50, which is over a year before your ESR 60. So who knows what the heck's going on. Maybe it really is an MITM, even if not a malicious one. The ending of the words is ALMSIVI. |
Duck Penis |
Posted on 19-08-18, 14:25
|
Stirrer of Shit
Post: #583 of 717 Since: 01-26-19 Last post: 1763 days Last view: 1761 days |
If it is MITM, I'd reckon they'd get caught pretty quickly. It's trivial to run a script that tries to connect to some site across all exit nodes and see which ones mess with the cert, report it, and get them banned. And it happens across several nodes, so I wouldn't think that's it. Right now it works fine, so it's very possible they fixed it. ...I could have sworn I took a screenshot of it, but apparently not. The current hierarchy is DST -> LE -> helmet, so are you sure it doesn't follow it? There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this. |
Duck Penis |
Posted on 19-08-18, 16:23
|
Stirrer of Shit
Post: #584 of 717 Since: 01-26-19 Last post: 1763 days Last view: 1761 days |
OK, now it gave me the error again. "Certificate Hierarchy" just contained "helmet.kafuka.org," SHA-256 fingerprint was "B5:92:85:CD:89:16:38:D9:3B:31:49:22:F6:36:CA:59:10:7A:50:BB:9F:54:30:93:5A:12:11:06:18:3B:74:79,", issuer was "Let's Encrypt Authority X3," and Certificate Authority Key Identifier was "a8 4a 6a 63 04 7d dd ba e6 d1 39 b7 a6 45 65 ef f3 a8 ec a1," which by all accounts seems to be Let's Encrypt. The error in boldface on top is, "Could not verify this certificate because the issuer is unknown." Here's the certificate, but I wouldn't think it's been tampered with: ...And after a few minutes of looking stuff up, I opened the certificate info box up again. It showed up as "Verifying certificate...," and then marked it as valid, with a filled in hierarchy and everything. So I would guess it tried to fetch the intermediate certificates from the URL in the certificate, but it took them some time. When I go to about:preferences#privacy and open the Certificate Manager, it indeed does not show Let's Encrypt, but it does show DST Root CA X3. There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this. |
Screwtape |
Posted on 19-08-19, 07:40
|
Full mod
Post: #322 of 443 Since: 10-30-18 Last post: 1101 days Last view: 172 days |
Yeah, so this site is serving up its own cert (signed by Let's Encrypt), but the browser for whatever reason doesn't know about Let's Encrypt. I'm very surprised that any up-to-date browser in 2019 doesn't automatically trust the Let's Encrypt cert, and even more surprised at the idea of browsers downloading plausible-looking certs, but apparently that's a thing that can happen. Actually, now that I think about it, maybe between the time that it broke and the time that it worked, you happened to visit another Let's Encrypt-secured website that *did* provide the intermediate cert, and the browser cached that somewhere so it was available the next time you visited this site. And then when you shut down the browser, it clears all its caches and the problem resurfaces. I guess we can test that hypothesis: - Restart your browser - Visit https://helmet.kafuka.org/ - Confirm that the site is not trusted - Restart your browser - Visit https://lobste.rs/ (a Let's Encrypt-protected site that does serve the intermediate) - Confirm that the site is trusted - Restart your browser - Visit https://helmet.kafuka.org/ - Confirm that the site is still not trusted - Visit https://lobste.rs/ - Confirm that the site is still trusted - Visit https://helmet.kafuka.org/ again - See if the browser trusts it now The ending of the words is ALMSIVI. |
Duck Penis |
Posted on 19-08-19, 17:31
|
Stirrer of Shit
Post: #587 of 717 Since: 01-26-19 Last post: 1763 days Last view: 1761 days |
Yes, that is what happens. Except for the part where it sometimes randomly works if you directly navigate to it with a clean browser, and sometimes randomly begins to work despite loading no other websites. It seems like it works more often to load it from bookmark than to go to helmet.kafuka.org, go to bboard/, and then click the HTTPS icon. But this could just be spurious/superstition. It has to verify them by hash, so I'd say it's quite secure. The certificate does include URL of the parent certificate, so it could be that it tries to fetch it based on my connection speed, which is random, which causes the non-deterministic behavior. That could explain why it sometimes loads instantly. Another hypothesis is that some post contained an embed going to a Let's Encrypt secured page complete with proper chain, that forces a cert download, boom, complete chain. I think this is what happens. To reproduce: 1) open TBB 2) go to https://helmet.kafuka.org/bboard -> red sometimes, green sometimes 3) add temp exception (if green, make new identity and try again) 4) mess around in options, refresh page, etc -> nothing happens, still orange 5) open all threads from last post in new tab 6) "View certificate" -> Currently verifying... -> green But the big mystery is why it sometimes DOESN'T show up as red. Man, to hell with SSL. How many people get false impressions of security from the magic green lock? How many people get Pavlov'd into clicking through all warnings? (see: Windows executable signing) And most importantly, why tolerate this atrocious single point of failure? We're not far out from seeing HTTP getting the same warnings as HTTPS with self-signed cert does, and then blocked outright eventually (where there is no override button and you have to go into about:config). Then maybe ISPs will block it, like they did for SMTP, but I doubt it (after all, our Chinese IoT makers must access their APIs) And after that, we will have a complete oligopoly. Good luck publishing such tracts if the CA cartel doesn't allow them. They've null-routed entire ASNs for hosting legal but controversial websites, so why wouldn't refusing to issue a certificate - an active rather than passive action, most definitely within their prerogative - be a valid action likewise? Completely unironically, this is a problem that The Blockchain™ solves in a cheap, efficient, and safe manner. /rant There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this. |
Wowfunhappy |
Posted on 19-08-26, 15:54
|
Post: #17 of 21
Since: 11-08-18 Last post: 1254 days Last view: 1254 days |
I'm not sure if this is related to the HTTPS discussion above, but as of this morning I'm getting a "Website With Harmful Software Warning" whenever I visit this website in Safari. Safari supposedly uses Google Safe Browsing for this warning... |
creaothceann |
Posted on 19-08-26, 17:21
|
Post: #193 of 456 Since: 10-29-18 Last post: 44 days Last view: 1 day |
Same for me with Firefox; had to use Opera. My current setup: Super Famicom ("2/1/3" SNS-CPU-1CHIP-02) → SCART → OSSC → StarTech USB3HDCAP → AmaRecTV 3.10 |
Kawaoneechan |
Posted on 19-08-26, 17:47
|
Secretly, I'm Andrew Hussie
Post: #366 of 599 Since: 10-29-18 Last post: 195 days Last view: 8 hours |
Posted by WowfunhappyThat's a known issue, nothing is actually wrong with the site or anything served on it. |
CaptainJistuce |
Posted on 19-08-27, 00:53
|
Custom title here
Post: #659 of 1164 Since: 10-30-18 Last post: 63 days Last view: 13 hours |
Posted by KawaThat's just what a malware provider woold say! --- In UTF-16, where available. --- |
Kawaoneechan |
Posted on 19-08-27, 01:00
|
OBJECTION!!
Post: #371 of 599 Since: 10-29-18 Last post: 195 days Last view: 8 hours |
Visual Basic 6 and UPX smell bad to certain antivirus programs 🤷 |
Nicholas Steel |
Posted on 19-09-05, 12:20
|
Post: #268 of 426
Since: 10-30-18 Last post: 499 days Last view: 14 days |
I guess I shoulda made my comment about the Quote system here, in any case thanks for adjusting the Quote visuals to make it easier to see who said what. Here's a feature request: Add a "Cancel" button when making posts and editing posts, the button should obviously take you back to the previously visited page. AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64 |
CaptainJistuce |
Posted on 19-09-05, 12:34
|
Custom title here
Post: #675 of 1164 Since: 10-30-18 Last post: 63 days Last view: 13 hours |
Posted by Nicholas SteelWhy not just alt-left? Or click the thread title above the reply/edit box? Or the back button in the address bar? --- In UTF-16, where available. --- |