Outdated SSL Certificate for https://www.gnucash.org

John Ralls jralls at ceridwen.us
Thu Jun 16 18:44:33 EDT 2016 

> On Jun 16, 2016, at 2:38 PM, Xavier Lagraula <detunizedgravity at gmail.com> wrote:
> 
> 
> 
> Le jeu. 16 juin 2016 à 16:08, John Ralls <jralls at ceridwen.us> a écrit :
> 
> > On Jun 16, 2016, at 1:47 AM, Xavier Lagraula <detunizedgravity at gmail.com> wrote:
> >
> > Hm. No. This is not what I meant. I am well aware of the arguments you are
> > making here. My problem is not that I trust my browser more than my own
> > judgment. My problem is that I know no practical and reasonable way to
> > apply my judgement, and I must make do with what my browser will allow.
> >
> > To be precise I have tried with both the latest stable versions of FF and
> > Edge, and neither allowed me to set an exception in the usual way. Maybe I
> > could have lowered my security settings, but I question the relevance of
> > such a choice. The fact that *I*, as an I.T. security consultant, may be
> > able to find how to do it and live with the consequences, does not
> > necessarily make it a reasonable course of action for everyone.
> 
> Haven't tried this in Edge, but it definitely works in FF:
> Click in the address bar. The URL will be expanded for editing. Move to the left end of the URL and change 'https:' to 'http:'. Press Enter.
> No exception required, it opens the URL unencrypted and there is therefore no certificate check.
> 
> The https link is embedded in an iframe, so one would first need to do something like "right click inside the iframe => this frame/open in a new tab => edit the URL".  I believe the iframe makes it too complicated a workaround for the average person, which is why I jumped into the discussion. I didn't say there was no solution. I said "there is no easy and practical solution for the average, non I.T. person."
> 
> Also, this will rapidly stop working when you sysadmin will have had the good idea to implement HTTP Strict Transport Security. In that case, once the browser will know that HTTPS is available for the www.gnucash.org, it will not allow HTTP anymore unless the user resets this HSTS configuration *between each click on a link*.
>  
> I'll check again in a bit but I don't think that there are any internal https: links in www.gnucash.org. As I said earlier there's nothing there that needs encrypting. There is a bit of a problem with recently released editions of most browsers that default to using https, but it's not hard to override as I describe above.
> 
> 
> www.gnucash.org => click on "download / documentation" in the left panel => view source => 
> <iframe src="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html" style="border-width: 0px; width: 100%; min-width: 700px; height: 80em;">
> It seems your browser doesn't support iframes. To view the requested page in a separate window, please <a href="https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html" target="_new">click here</a>.</iframe>
> 
> Obviously, if you don't need HTTPS at all, you could change the protocol to HTTP. I believe that, on the contrary, one should aim for systematic end to end encryption (that is, the whole site should use HTTPS and actively prevent the use of HTTP), but that is another topic entirely. I won't say anymore on this here.
>  
> As for adding an exception in FF, click Advanced on the Warning page. That extends the box with details of why the certificate was rejected and includes an "Add and Exception" button on the bottom. Click that, a dialog box opens with a "Confirm Security Exception". Click that, done.
> 
> As said before, you wouldn't have heard from me if it was that simple. When I wrote that my browser does not let me set an exception, I meant it: the "Add an exception" button does not exist in this case. I've known for some time that it happened in some cases, I just never took the time to learn why until now. 
> 
> OK, so here's the explanation. One may not set an exception when the offending link is in an iframe, to prevent attackers from tricking users into validating rogue certificates. Seems reasonable. This behaviour was implemented in FF in 2012 for example:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=756841#c6
> 
> So, the actual workaround is to open the iframe into its own tab. Since the content is not embedded in an iframe in this case, the "Add an exception" button is shown, and one may add a permanent exception. Reload the original page and the error should disappear. Still a bit too complicated for the average Joe in my opinion, but it does work.
>  
> As a side note, I've always thought that iframe are a pain, for the reasons found here :
> https://en.wikipedia.org/wiki/Framing_(World_Wide_Web)#Criticism


Thanks for the diagnosis. I've replaced that https link with http so it should work now. I'm not a fan of iframes either but I don't have time right now to redo the web page to use floating divs and php includes.

I'm a bit less doctrinaire about end-to-end encryption for all web traffic. Most advocates promote it as a privacy protection, but IMO one can worry too much about that. I don't know about you, but I don't really worry too much about who might see me at the grocery store or who knows that I work on GnuCash.

Regards.
John Ralls

More information about the gnucash-user mailing list