Outdated SSL Certificate for https://www.gnucash.org

Thu Jun 16 17:48:21 EDT 2016

Xavier,

Thank you for perservering in this discussion. I agree strongly with your points—especially those regarding unsatisfactory results for the majority of users and the question of iframe use.

David T.

> On Jun 16, 2016, at 5:38 PM, Xavier Lagraula <detunizedgravity at gmail.com> wrote:
> 
> Le jeu. 16 juin 2016 à 16:08, John Ralls <jralls at ceridwen.us> a écrit :
> 
>> 
>>> On Jun 16, 2016, at 1:47 AM, Xavier Lagraula <detunizedgravity at gmail.com>
>> wrote:
>>> 
>>> Hm. No. This is not what I meant. I am well aware of the arguments you
>> are
>>> making here. My problem is not that I trust my browser more than my own
>>> judgment. My problem is that I know no practical and reasonable way to
>>> apply my judgement, and I must make do with what my browser will allow.
>>> 
>>> To be precise I have tried with both the latest stable versions of FF and
>>> Edge, and neither allowed me to set an exception in the usual way. Maybe
>> I
>>> could have lowered my security settings, but I question the relevance of
>>> such a choice. The fact that *I*, as an I.T. security consultant, may be
>>> able to find how to do it and live with the consequences, does not
>>> necessarily make it a reasonable course of action for everyone.
>> 
>> Haven't tried this in Edge, but it definitely works in FF:
>> Click in the address bar. The URL will be expanded for editing. Move to
>> the left end of the URL and change 'https:' to 'http:'. Press Enter.
>> No exception required, it opens the URL unencrypted and there is therefore
>> no certificate check.
>> 
>> The https link is embedded in an iframe, so one would first need to do
> something like "right click inside the iframe => this frame/open in a new
> tab => edit the URL".  I believe the iframe makes it too complicated a
> workaround for the average person, which is why I jumped into the
> discussion. I didn't say there was no solution. I said "there is no easy
> and practical solution for the average, non I.T. person."
> 
> Also, this will rapidly stop working when you sysadmin will have had the
> good idea to implement HTTP Strict Transport Security. In that case, once
> the browser will know that HTTPS is available for the www.gnucash.org, it
> will not allow HTTP anymore unless the user resets this HSTS configuration
> *between each click on a link*.
> 
> 
>> I'll check again in a bit but I don't think that there are any internal
>> https: links in www.gnucash.org. As I said earlier there's nothing there
>> that needs encrypting. There is a bit of a problem with recently released
>> editions of most browsers that default to using https, but it's not hard to
>> override as I describe above.
>> 
>> 
> www.gnucash.org => click on "download / documentation" in the left panel =>
> view source =>
> 
> <iframe src="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
> style="border-width: 0px; width: 100%; min-width: 700px; height:
> 80em;">It seems your browser doesn't support iframes. To view the
> requested page in a separate window, please <a
> href="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
> target="_new">click here</a>.</iframe>
> 
> 
> Obviously, if you don't need HTTPS at all, you could change the protocol to
> HTTP. I believe that, on the contrary, one should aim for systematic end to
> end encryption (that is, the whole site should use HTTPS and actively
> prevent the use of HTTP), but that is another topic entirely. I won't say
> anymore on this here.
> 
> 
>> As for adding an exception in FF, click Advanced on the Warning page. That
>> extends the box with details of why the certificate was rejected and
>> includes an "Add and Exception" button on the bottom. Click that, a dialog
>> box opens with a "Confirm Security Exception". Click that, done.
>> 
> 
> As said before, you wouldn't have heard from me if it was that simple. When
> I wrote that my browser does not let me set an exception, I meant it: the
> "Add an exception" button does not exist in this case. I've known for some
> time that it happened in some cases, I just never took the time to learn
> why until now.
> 
> OK, so here's the explanation. One may not set an exception when the
> offending link is in an iframe, to prevent attackers from tricking users
> into validating rogue certificates. Seems reasonable. This behaviour was
> implemented in FF in 2012 for example:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=756841#c6
> 
> So, the actual workaround is to open the iframe into its own tab. Since the
> content is not embedded in an iframe in this case, the "Add an exception"
> button is shown, and one may add a permanent exception. Reload the original
> page and the error should disappear. Still a bit too complicated for the
> average Joe in my opinion, but it does work.
> 
> As a side note, I've always thought that iframe are a pain, for the reasons
> found here :
> https://en.wikipedia.org/wiki/Framing_(World_Wide_Web)#Criticism
> 
> 
>> Regards,
>> John Ralls
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.