Outdated SSL Certificate for https://www.gnucash.org

Xavier Lagraula detunizedgravity at gmail.com
Thu Jun 16 17:38:04 EDT 2016 

Le jeu. 16 juin 2016 à 16:08, John Ralls <jralls at ceridwen.us> a écrit :

>
> > On Jun 16, 2016, at 1:47 AM, Xavier Lagraula <detunizedgravity at gmail.com>
> wrote:
> >
> > Hm. No. This is not what I meant. I am well aware of the arguments you
> are
> > making here. My problem is not that I trust my browser more than my own
> > judgment. My problem is that I know no practical and reasonable way to
> > apply my judgement, and I must make do with what my browser will allow.
> >
> > To be precise I have tried with both the latest stable versions of FF and
> > Edge, and neither allowed me to set an exception in the usual way. Maybe
> I
> > could have lowered my security settings, but I question the relevance of
> > such a choice. The fact that *I*, as an I.T. security consultant, may be
> > able to find how to do it and live with the consequences, does not
> > necessarily make it a reasonable course of action for everyone.
>
> Haven't tried this in Edge, but it definitely works in FF:
> Click in the address bar. The URL will be expanded for editing. Move to
> the left end of the URL and change 'https:' to 'http:'. Press Enter.
> No exception required, it opens the URL unencrypted and there is therefore
> no certificate check.
>
> The https link is embedded in an iframe, so one would first need to do
something like "right click inside the iframe => this frame/open in a new
tab => edit the URL".  I believe the iframe makes it too complicated a
workaround for the average person, which is why I jumped into the
discussion. I didn't say there was no solution. I said "there is no easy
and practical solution for the average, non I.T. person."

Also, this will rapidly stop working when you sysadmin will have had the
good idea to implement HTTP Strict Transport Security. In that case, once
the browser will know that HTTPS is available for the www.gnucash.org, it
will not allow HTTP anymore unless the user resets this HSTS configuration
*between each click on a link*.


> I'll check again in a bit but I don't think that there are any internal
> https: links in www.gnucash.org. As I said earlier there's nothing there
> that needs encrypting. There is a bit of a problem with recently released
> editions of most browsers that default to using https, but it's not hard to
> override as I describe above.
>
>
www.gnucash.org => click on "download / documentation" in the left panel =>
view source =>

<iframe src="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
style="border-width: 0px; width: 100%; min-width: 700px; height:
80em;">It seems your browser doesn't support iframes. To view the
requested page in a separate window, please <a
href="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
target="_new">click here</a>.</iframe>


Obviously, if you don't need HTTPS at all, you could change the protocol to
HTTP. I believe that, on the contrary, one should aim for systematic end to
end encryption (that is, the whole site should use HTTPS and actively
prevent the use of HTTP), but that is another topic entirely. I won't say
anymore on this here.


> As for adding an exception in FF, click Advanced on the Warning page. That
> extends the box with details of why the certificate was rejected and
> includes an "Add and Exception" button on the bottom. Click that, a dialog
> box opens with a "Confirm Security Exception". Click that, done.
>

As said before, you wouldn't have heard from me if it was that simple. When
I wrote that my browser does not let me set an exception, I meant it: the
"Add an exception" button does not exist in this case. I've known for some
time that it happened in some cases, I just never took the time to learn
why until now.

OK, so here's the explanation. One may not set an exception when the
offending link is in an iframe, to prevent attackers from tricking users
into validating rogue certificates. Seems reasonable. This behaviour was
implemented in FF in 2012 for example:

https://bugzilla.mozilla.org/show_bug.cgi?id=756841#c6

So, the actual workaround is to open the iframe into its own tab. Since the
content is not embedded in an iframe in this case, the "Add an exception"
button is shown, and one may add a permanent exception. Reload the original
page and the error should disappear. Still a bit too complicated for the
average Joe in my opinion, but it does work.

As a side note, I've always thought that iframe are a pain, for the reasons
found here :
https://en.wikipedia.org/wiki/Framing_(World_Wide_Web)#Criticism


> Regards,
> John Ralls

More information about the gnucash-user mailing list