Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

"This site is not secure" warning message

by roho (Canon)
on Jun 11, 2018 at 11:41 UTC ( #1216381=monkdiscuss: print w/replies, xml ) Need Help??

How do I get rid of the "This site is not secure" warning when accessing PerlMonks?

"It's not how hard you work, it's how much you get done."

  • Comment on "This site is not secure" warning message

Replies are listed 'Best First'.
Re: "This site is not secure" warning message
by shmem (Chancellor) on Jun 11, 2018 at 13:05 UTC

    Unfortunately the monk image in the upper right corner has an absolute link in the page delivered, e.g.

    <a href="?node_id=966"><img src="http://perlmonks.org/images/monk1sm.g +if" border="0" alt="Frank" title="Frank" width="74" height="91" /></a +>

    instead of a relative one

    <a href="?node_id=966"><img src="/images/monk1sm.gif" border="0" alt=" +Frank" title="Frank" width="74" height="91" /></a>

    which makes the page insecure, since it loads unencrypted stuff into an encrypted container. There's a patch for that, but other things might blow up, too.

    perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

      Or there's the simple fix of going to Display Settings and ticking the box next to "Monk Pictures off".

      Update: This problem is now (since 11th of June) mentioned in Tidings

        This is a hostmaster error, not a user error. Why doesn't Pair have a cert? As they don't; why is perlmonks forcing a secure connection? Letsencrypt ( letsencrypt.com ) has been providing them FREE for at least a year, and they're accepted by all the major browsers. The entire process can be accomplished in some 20 minutes -- even for a large hosting outfit. I managed the whole process in 15 minutes, with ~120 hosts. IMHO this is a fairly serious matter; as when most users encounter the "frightening" message from their browser, will leave, and quite probably never come back. :-(

        λɐp ʇɑəɹ⅁ ɐ əʌɐɥ puɐ ʻꜱdləɥ ꜱᴉɥʇ ədoH

        Monk pictures off. Still throwing "This site is not secure" warnings like a 4th of July fireworks display. Does this change not take effect until site page entirely closed, then opened again, or some such?


        Give a man a fish:  <%-{-{-{-<

Re: "This site is not secure" warning message
by haukex (Chancellor) on Jun 17, 2018 at 21:52 UTC

    I analyzed this issue a bit more.

    There are 10 DNS names that I know of for PerlMonks: /^( (www\.|css\.)? perlmonks \. (org|com|net) | perlmonks.pairsite.com )$/x

    Except for perlmonks.pairsite.com, all of those resolve to the three IP addresses 209.197.123.153, 216.92.34.251, and 66.39.54.27. perlmonks.pairsite.com resolves to only the first of those, 209.197.123.153.

    There are two SSL certificates:

    1. one for pair Networks, which matches only *.pairsite.com - this one is always served by 209.197.123.153, no matter which of the aforementioned 10 DNS names is used!
    2. one Let's Encrypt certificate, which matches any of the nine DNS names /^ (www\.|css\.)? perlmonks \. (org|com|net) $/x - this one is served by 216.92.34.251 and 66.39.54.27.

    The issue is that any time one of the (org|com|net) addresses resolves to 209.197.123.153 (Round-robin DNS), the user will get a certificate warning.

    I checked, and the Apache Wiki says this about Name-Based Virtual Hosts and SSL (emphasis mine):

    As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.

    In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. ...

    As a quick fix, 209.197.123.153 could be taken out of the DNS rotation, as already suggested by others, but this has the disadvantage that one of the servers will get much less of the load. Another possible solution would be to make sure that 209.197.123.153 serves up the Let's Encrypt certificate as well, and then set up a redirect from perlmonks.pairsite.com to perlmonks.org (both http and https), since I'm not sure how much that address is used anyway.

    In any case, I think this is an important issue!

      I checked, and the Apache Wiki says this about Name-Based Virtual Hosts and SSL (emphasis mine):

      As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.

      In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer.

      That information seems to be obsolete. SNI allows to use name-based virtual hosts with SSL. According to Wikipedia, it should work with Apache 2.2.12 and newer, IE 7 (not on XP) and newer, Firefox 2.0 and newer, Safari (not on XP), Chrome 6.0 and newer.

      There is also a wiki page for SNI with Apache.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re: "This site is not secure" warning message
by Gavin (Bishop) on Jun 11, 2018 at 17:09 UTC
    The fact that the page throws "This site is not secure" warning message to my mind will put off new visitors to PerlMonks at a time when we need new blood is rather worrying.
      Lol
Re: "This site is not secure" warning message
by Co-Rion (Monk) on Jun 29, 2018 at 15:48 UTC

    I have now received the instructions on how to reconfigure all servers to use one Let's Encrypt certificate.

    The changes involve some changes through the web interface of Pair and might also involve some indirect changes to the DNS. I expect the changes to be complete within the next hour and the propagation of the changes within the next 24 hours.

    After that, I expect that all webservers will serve the same (Let's Encrypt) certificate and will automatically renew through Pairs automatic process.

    Update: The change was 50% successful:

    • OK The *.pairsite.com certificate is not served anymore from
    • OK A perlmonks.com and www.perlmonks.com certificate is now served from 209.197.123.153.
    • NOT OK: A perlmonks.net and www.perlmonks.net certificate is now served from 209.197.123.153.
    • NOT OK: A perlmonks.org and www.perlmonks.org certificate is now served from 209.197.123.153.

    This will likely need (repeated?) manual intervention from Pair support, who have been very supportive and good so far, so I hope that we can resolve even this issue.

    The two certificates served now are:

    ##### Certificate ##### Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Subject: /CN=perlmonks.com Subject Alt Names: 2: perlmonks.com 2: www.perlmonks.com ### Served by: 209.197.123.153 css.perlmonks.com 209.197.123.153 css.perlmonks.net 209.197.123.153 css.perlmonks.org 209.197.123.153 perlmonks.com 209.197.123.153 perlmonks.net 209.197.123.153 perlmonks.org 209.197.123.153 perlmonks.pairsite.com 209.197.123.153 www.perlmonks.com 209.197.123.153 www.perlmonks.net 209.197.123.153 www.perlmonks.org ##### Certificate ##### Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Subject: /CN=perlmonks.org Subject Alt Names: 2: css.perlmonks.com 2: css.perlmonks.net 2: css.pe +rlmonks.or g 2: perlmonks.com 2: perlmonks.net 2: perlmonks.org 2: www.perlmonks. +com 2: www .perlmonks.net 2: www.perlmonks.org 216.92.34.251 css.perlmonks.com 66.39.54.27 css.perlmonks.com 216.92.34.251 css.perlmonks.net 66.39.54.27 css.perlmonks.net 216.92.34.251 css.perlmonks.org 66.39.54.27 css.perlmonks.org 216.92.34.251 perlmonks.com 66.39.54.27 perlmonks.com 216.92.34.251 perlmonks.net 66.39.54.27 perlmonks.net 216.92.34.251 perlmonks.org 66.39.54.27 perlmonks.org 216.92.34.251 www.perlmonks.com 66.39.54.27 www.perlmonks.com 216.92.34.251 www.perlmonks.net 66.39.54.27 www.perlmonks.net 216.92.34.251 www.perlmonks.org 66.39.54.27 www.perlmonks.org
Re: "This site is not secure" warning message
by afoken (Canon) on Jun 11, 2018 at 19:23 UTC

    I can confirm the warning, the webserver presents a pair.com SSL certificate.

    @roho: please don't write into the signature, some monks let the browser hide signatures and so your posting looks empty.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      Hmm... It varies it seems. .com used to work but last 2days stopped but .org works.. Cant tell with my chrome what the ip is in play
      Sorry about that. Entered text one line too low.

      "It's not how hard you work, it's how much you get done."

Re: "This site is not secure" warning message
by monsenhor (Novice) on Jun 13, 2018 at 13:41 UTC
Re: "This site is not secure" warning message
by sanPerl (Friar) on Jun 19, 2018 at 08:06 UTC
Re: "This site is not secure" warning message
by Anonymous Monk on Jun 15, 2018 at 06:38 UTC
    Well, something magical, all three perlmonks.com/perlmonks.net/perlmonks.org just resolved to 66.39.54.27 for me with pairsite certificate
    A reply falls below the community's threshold of quality. You may see it by logging in.
    A reply falls below the community's threshold of quality. You may see it by logging in.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://1216381]
Approved by davies
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (8)
As of 2019-12-13 23:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?