SSL cert expired

[Alex]

Hi folks -

Wanted to post a thread apologizes for the embarrassing oversight today of letting the SSL cert expire. Had received notifications for awhile, but hadn't gotten around to it yet. I'm remote today (at a security conference, ironically), but hope to get around to updating it late tonight.

To be clear, the site is no less secure (or more secure) than it was yesterday. SSL certs have an expiration date on them, but that timing is a bit arbitrary. Expiration does not mean anything bad happened to them, they've been compromised, or any other issue. It's just good security practice to keep them updated every few years in the off-chance that they were compromised at some point during that period.

Most importantly, there isn't any personal data stored here on this site about any of us. Everything that this site has in terms of user data is essentially open to all already; it's all of our posts that we put up to share with others. I moved the site to SSL awhile back as an exercise, but that turned out to be a bit prescient as Google started to encourage all sites to use SSL, even if there wasn't any sensitive or critical data stored on the site.

Happy to answer any questions here, and also take any well-deserved insults, put-downs, and general abuse for not getting to this in time.

[adouglas]

Go on, admit it. You're Zuckerberg in disguise, aren't you?

[Alex]

I can neither confirm or deny.

[Triple Jim]

Thanks Alex... I got the warning this morning, but figured that by now I can probably trust the site.

[DannoXYZ]

Quote:

Originally Posted by Alex

I can neither confirm or deny.

to verify it’s really you, PM me all your account numbers and PIN

[adouglas]

Quote:

Originally Posted by DannoXYZ

to verify it’s really you, PM me all your account numbers and PIN

Here you go. All the number and PINS are in this post.

[Snake]

I took a leap of faith and clicked ok I trust Alex.

[Alex]

Alright - we're good until 4/2020. Hopefully I'll fix it ahead of time at that point.

[Z1R rider]

[CaliGrrl]

Thanks for updating it! I got the warning, I trust the site, but I didn't know how to tell my computer "go there anyway." So I'm glad it's updated and my 'puter will let me come here again.

[DannoXYZ]

Awesome!

[maverick9611]

[Alex]

So this is how users at MyEtherWallet were hacked yesterday.

News story: https://www.theverge.com/2018/4/24/1...tolen-ethereum

Someone was able to corrupt/co-opt some DNS entries for the site, set up a new site, and the DNS took some users right to the phishing site. Once there, they had the credentials they needed to then go to the real site and start emptying wallets. Users who were robbed had to click through that "this site cert ain't right" error, did so, and were taken to the malicious site - the site that they landed on couldn't provide a valid SSL cert and the browsers would have warned them.

I only add this for some context about those cert errors. That use case above is pretty much the whole point of the technology. The site that you're going to might not be the one you expect, because the cert can't be validated - be cautious with where you go and what you enter if you do click past those warnings. In 99% of the cases, it's going to be something like happened here on Ninjette, with an expired cert due to an incompetent admin (like me). But every once in awhile, that cert error can be a real tip-off that something bad is about to happen because the site you're going to isn't the one you expect, either because it has been hacked directly, or you're being redirected to an entirely different location than you expected.

[CaliGrrl]

Good to know, thanks. I don't know much about how this works, and I trusted Ninjette, but it's good info.

[Alex]

Quote:

Originally Posted by Alex

Alright - we're good until 4/2020. Hopefully I'll fix it ahead of time at that point.

Narrator voice: "He didn't"

[Triple Jim]

No problem of course, Alex... thanks for today's repair. I was able to get in via Tor Browser, but it seemed that no one else was around.

[Alex]

The reason the TOR browser worked is likely because it's running in incognito mode, and isn't storing HSTS data. If you opened up another browser that you've never used to connect to ninjette before, it would likely have worked as well. The way that setting works between web servers and clients is like this: Once you go to a site, and it has a legitimate SSL certificate, the browser says "OK" and keeps track of it. Forevermore, if you use that browser to go to that site, it confirms there is a valid cert, and if there isn't, it hard fails it and will not allow you to bypass. If you open up a completely new browser and go to the site, it may warn you that the site has a bad cert, but it will let you bypass the warning.

You can go into an existing browser, and there are ways to delete the HSTS stored data. I've had to do that a few times when I do screw up the SSL cert and still have to get to a site with the same browser.

[Triple Jim]

Understood. Tor asked me if I'd like to ignore the expired certificate. I can't swear I've never connected to this site with it though.

[DannoXYZ]

Does anyone ever say NO to bypassing cert-expiration warning?
Or even incorrect cert saying you're being re-directed to "IMGONNA.STEALYOURCC#.COM"??

[Alex]

No - which is probably one of the reasons HSTS came to be. It allows sites to make it much harder for users to bypass that warning, if the site chooses to enforce it. It's one of those "ecosystem" type things though, that only has a benefit if many/most sites implement it.

[Alex]

When the site was moved over to a new VM today, I figured it would be a good idea to see when the SSL cert was due to expire. Turns out that it was due to expire today - 4/16/2022! Updated it (after finding the instructions I saved forever ago on how to do so), so we're now good for another year. If I had forgotten, we all would have been locked out at midnight until I reset the darned thing.

On a separate note, the new server appears to be screaming fast. Usage of it is showing something like .01 on average, and response time is lightning quick.

[Snake]

So glad that you were able to remember about the cert expiring. If I had been locked out tomorrow morning the first thing I would have thought was “Oh no I posted something negative, got a thumbs down and Alex locked me out”.

[DannoXYZ]

Awesome!!!

I like automatic free cert renewal with certbot/LetsEncrypt.org.
CertBot agent regularly checks for expiration and downloads new cert before it expires.
https://letsencrypt.org/getting-started/

[Alex]

I should look into that some point if I ever change the architecture. When I first put SSL onto this site awhile back, LetsEncrypt was a bit of a joke, and essentially meant that the site wasn't able to get a "real" cert. But over many years - quite a bit has changed, and sites with LetsEncrypt aren't penalized a bit.

[CaliGrrl]

Excellent! Thanks for keeping an eye on it!

[CZroe]

Quote:

Originally Posted by DannoXYZ

Awesome!!!

I like automatic free cert renewal with certbot/LetsEncrypt.org.
CertBot agent regularly checks for expiration and downloads new cert before it expires.
https://letsencrypt.org/getting-started/

Spam bot detected!

/JK

Don’t mess with Alex tho’

I’m still suffering his endless newsletter spam in retaliation for the time Jiggles and I made it look like I hacked the site.

[DannoXYZ]

Quote:

Originally Posted by CZroe

Spam bot detected!

/JK

Don’t mess with Alex tho’

I’m still suffering his endless newsletter spam in retaliation for the time Jiggles and I made it look like I hacked the site.

HahHhahhHahhh!!!