Desktop and Mobile Firefox throwing a certificate error on the BBS


#1

Getting a certificate error when trying to connect to https://bbs.boingboing.net. Tried turning off HTTPS, and just going to the plain site, same message. This is happening on both Firefox desktop (v48 standard repo Linux Mint), and android (v48.0.1). The error doesn’t happen in Chrome (verified on both Linux desktop and android). So maybe the BBS switched to a different cert not in FF’s default library.


#2

Maybe I need to turn off TLS enforcement or something? Reading the error message it sounds like the BBS is trying to use a cert that firefox thinks is too low-security, and the BBS is also attempting to redirect back to HTTPS, so I’m having a hard time just trying to connect via insecure methods.


#3

Same here on FF48.0.2
Could be a botched FF release or a Discourse issue. Google mentions something called NGINX as a possible issue?


#4

yes, I was just talking to @M_M about this. I PM’d Rob.


#5

NGINX is a web server.

Searching on NS_ERROR_NET_INADEQUATE_SECURITY brings up pretty much just Firefox nightly builds forum. I’m using a current non-dev build of FF, so I’m not thinking this is caused by FF. The fora say that the TLS and SSL negotiation is to blame.


#6

well, I’m a bit out of my depth here, but y’all are on Chrome and I’m using Safari. how is it not caused by Firefox?

I withdraw the question pre-emptively as I doubt I will understand any sort of technical explanation.

anyway, this sucks. I hate Safari and FF has all my browser extensions and I know all the keybinds and stuff.


#7

Well… Technically it is FF refusing to connect to the website.

But the reason why FF is refusing to connect is because the website’s not adhering to the security standards it’s advertising itself to have. Which is super dangerous. So I’m going to go ahead and say that the BBS’s certs/TLS/SSL negotiation has gotten screwed up. Seeing as the site’s been working fine on this version of FF for like a month, and suddenly stopped working today, and my FF hasn’t been upgraded today.


#8

So is discourse running on that?[quote=“noahdjango, post:6, topic:84322”]
I withdraw the question pre-emptively as I doubt I will understand any sort of technical explanation.
[/quote]

I thought it was just me that didn’t understand all this, LOL.


#9

I guess so:


#10

Site appears to be back up now.

Thanks @codinghorror and whoever else helped out with that.


#11

weirdly, right after you posted that screenshot, I started getting errors trying to like the post. I F5’d and Safari gave me their version of the certificate error warning. said fuck it, closed Safari, and browsed elsewhere on FF. Just checked back and all is right in FF again :slight_smile:


#12

Mea Culpa.

Short version: Browsers which use HTTP/2 had a brief moment of unhappiness when an unexpected side-effect of a security update caused Confusion and Delay.

Tech-weenie details: I adjusted the TLS cipher suite selection to mitigate the sweet32 attack, and managed to change the priority of cipher selection such that some ciphers blacklisted in HTTP/2 were chosen above other, HTTP/2-friendly ciphers. At first, this only impacted recent Firefox versions, but because no two implementations can ever agree on what a standard actually means, my first attempt at fixing the problem caused problems for IE and Safari instead.

All is well now, and unless some cryptographer comes up with another way to break TLS in the next little while, things should stay well.


#13

Anyone still experiencing issues here? We had to update our SSL setup today which involved a minor outage on some browsers

Should be better now


#14

Glad you’re doing this work. Thanks guys.


#15

FWIW, I ran into this running SRWare Iron, which is Chromium-based.


#16

Are you still seeing the problem now? Or did you only run into it a few hours ago, when others were reporting it too?


#17

No, no problem now, only before (I think when the others were seeing it). I only brought it up in case it was useful to confirm that it could happen on chromium browsers.


#19

NSA suite B standards or higher, or GTFA!

Yeah, I was locked out of commenting, That’s cool.(Seriously. I’m good with that. I’ll just browse anonymously until you get your TLS negotiations worked out.)


#20

Yeah, and I looked up Iron, and I’m less than impressed by the project. They spent a whole year claiming to be “open source” without ever hosting or making available the sourcecode. And now they are hosting some sourcecode, but they don’t in any way make it clear which version it’s for or anything like that.

Most people who’ve reviewed it tend to say that it’s just chromium with different default settings and an adblocker built in.


#21

I’ve been using it for several years, since the field of ‘hardened’ chromium browsers consisted of just it and Comodo. I don’t use it because I trust it more than I’d trust Chromium, but because it has been stable and fast so why stop? It isn’t the only browser I use, but it is the one I use for BB. Had the certificate error been more than a small nuisance I would have tried another browser,