Palemoon won't show "untrusted connection"

[jbclem]

This Connection is Untrusted sezs Palemoon, http://www.arboreumco.com uses an invalid security certificate. It seems the only choice for me is "Get me out of here". Palemoon has decided to control my choice of websites. I can access the same site using Opera 28, and I know it's a couple of guys running a fruit tree orchard who probably haven't bothered to update their security certificate.

How can I take things into my own hands and get Palemoon to let me into the site. Is there a switch somewhere that I can turn off and on?

John

[x-15a2]

The link that you provided is to a non-secure web page and I drilled down quite a bit and never did make it to their secure site.

[Moonchild]

Technical Details

www.arboreumco.com uses an invalid security certificate. The certificate is only valid for the following names: *.herokuapp.com , herokuapp.com (Error code: ssl_error_bad_cert_domain)

If you are automatically redirected to https (possibly by an extension), then that is your problem right there. The certificate on the website is not valid for the domain you are trying to visit. No, you should not willy-nilly make exceptions for sites unless you know exactly what you are doing.

Another victim of this "https everywhere all the time" craze going about, I guess.

[jbclem]

I do know what I'm doing with this website, based on previous purchases. And they don't sell online, you reserve your fruit trees and then mail them a check. Remember those days...they still exist fortunately, not everyone has turned into a digital robot. These guys grow and sell unique old varieties of fruit trees that no one else in the country has...fruit trees from the ancient times, before the internet, before computers, before Volkswagens!

So I chose to take my chance, and the odds are on my side. Is there a way to set Palemoon so that it won't reject this website. BTW, I just checked with Firefox 25 and had no problem getting to the site. I also looked at my Palemoon extensions and plugins and don't see anything that mentions "https" in the title. Are there any particular ones that could cause this problem?

[squarefractal]

Please give us the exact URL where this problem happens.

[jbclem]

http://www.arboreumco.com/ I just tried it and the result was the same.

[Joel Cairo]

If you are automatically redirected to https (possibly by an extension), then that is your problem right there. The certificate on the website is not valid for the domain you are trying to visit. No, you should not willy-nilly make exceptions for sites unless you know exactly what you are doing.

Another victim of this "https everywhere all the time" craze going about, I guess.

Funny you should mention that! I wanted info ('windows 7 search multiple') just yesterday. Searched on Ixquick - top result was https://windows.microsoft.com and I clicked the link and got the 'Untrusted connection' dialogue. Did the search with my new Google encrypted plug-in and got http://windows.microsoft.com (which, obviously, opened).

[ron_1]

jbclem wrote:
http://www.arboreumco.com/ I just tried it and the result was the same.

The site opened for me, and it was http, just as you typed it in your link, not https. I then manually added the "s" and I got the untrusted connection message. Just take the "s" out of the https. But as Moonchild said, if you're entering it as http, then something on your computer is forcing it into https. Please give a list of your add-ons so those who are knowledgeable about this sort of thing can help.

[Thehandyman1957]

Well guys, I'm using Encrypted Web and I don't have any problems getting on the page.

Here is a list of my add-on's in case your curious.

Screenshot - 9_21_2015 , 11_05_40 PM.png

As you can see in the next screenshot Encrypted Web did not try to change it to Https

Screenshot - 9_21_2015 , 11_08_40 PM.png

[Joel Cairo]

Well guys, I'm using Encrypted Web and I don't have any problems getting on the page.

Yeah, which is the difference between httpseverywhere/EncryptedWeb, and httpnowhere - a black/whitelist.

[jbclem]

I looked at my add-ons and didn't see anything that would change http to https. Just to be sure I put Palemoon into Safe Mode, all add-ons disabled, restarted it and then tried to reach www.arboreumco.com again. Alas, same problem..."this connection is untrusted".

But I can see the http change to https so something is making that happen. Any other ideas?

[jbclem]

Interestingly, I just saw on fruit growers website that others were having problems accessing arboreumco.com with Firefox. And I just tried with Opera 28 and received a message about an invalid certificate...but Opera gave me the choice of continuing, which I did with success.

[ron_1]

jbclem wrote:
but Opera gave me the choice of continuing,

Pale Moon does also. Just click on "I understand the risks." But that really is not advisable.

[Thehandyman1957]

Technical Details

http://www.arboreumco.com uses an invalid security certificate. The certificate is only valid for the following names: *.herokuapp.com , herokuapp.com (Error code: ssl_error_bad_cert_domain)

If you are automatically redirected to https (possibly by an extension), then that is your problem right there. The certificate on the website is not valid for the domain you are trying to visit. No, you should not willy-nilly make exceptions for sites unless you know exactly what you are doing.

Another victim of this "https everywhere all the time" craze going about, I guess.

What's interesting about this is when I go to this site using Encrypted Web, it does not even give me the option for Https: Every other site I go to I get a choice, as in they have both Http: and Https: and it shows in the icon

So if folks are getting redirected to another site that is using a non valid certificate maybe it's not actually their site at all. Maybe it's a spoof.

[Joel Cairo]

Technical Details

http://www.arboreumco.com uses an invalid security certificate. The certificate is only valid for the following names: *.herokuapp.com , herokuapp.com (Error code: ssl_error_bad_cert_domain)

If you are automatically redirected to https (possibly by an extension), then that is your problem right there. The certificate on the website is not valid for the domain you are trying to visit. No, you should not willy-nilly make exceptions for sites unless you know exactly what you are doing.

Another victim of this "https everywhere all the time" craze going about, I guess.

What's interesting about this is when I go to this site using Encrypted Web, it does not even give me the option for Https: Every other site I go to I get a choice, as in they have both Http: and Https: and it shows in the icon

So if folks are getting redirected to another site that is using a non valid certificate maybe it's not actually their site at all. Maybe it's a spoof.

Clicking that link, the page opens no prob. Searching arboreumco in Ixquick - again - again the results are to the untrusted https version. But once adding the exception it does at least resolve. Not so the windows.microsoft.com one I mentioned previously, though it'd be hard to justify an encrypted version of it anyway. Looking at my Ixquick settings, it would appear to be the result of my choosing POST over GET.

[jbclem]

I don't see any "i understand the risks" option. Had I seen it we wouldn't be having this conversation. Perhaps a different version of Palemoon incorporates that statement, but I'm using version 25.7.0 (Atom/WinXP).

[Moonchild]

If you don't get the option, then either the site is loaded in a frame (which can be bad news and subject to site spoofing) or something else is making the browser distrust the connection to such a degree that it's considered an unacceptable option.

[Joel Cairo]

If we see "https://www.arboreumco.com" in the address bar - and we know that www.arboreumco.com is perfectly kosher, shouldn't we trust that, despite an "untrusted connection" warning? The only reason to believe the latter in that situation would be suspecting what we can see in the address bar is spoofed - at which point the browser is fully-compromised (like us when we can no longer believe our eyes)? If one is compromised, so might be the other. So if "http://www.arboreumco.com" is trustworthy, why would "https://www.arboreumco.com" not be? In other words, why is it a bad idea to accept the certificate as an exception?

[Toa-Nuva]

we know that http://www.arboreumco.com is perfectly kosher

We don't know.
The thing is, HTTP does not offer any security at all. Someone else might be maintaining a fake copy of that site, and you might be connected to that fake site (via a man in the middle attack, for example), and neither you nor the maintainers of the original site would ever know.

HTTPS does promise security. When you visit that site, and the HTTPS connection works out fine, you can be sure that you are connected to the original site. If someone creates a fake site and you try to connect to it, the browser would notice and refuse the connection.
However, if the maintainers of the original site mess something up on their end, they make themselves look like a fake site. So when you try to connect to it, the browser will have to refuse the connection.

So, for all we know, the site might be a fake, or it might be real but with a messed-up HTTPS configuration.

[Joel Cairo]

we know that http://www.arboreumco.com is perfectly kosher

We don't know.
The thing is, HTTP does not offer any security at all. Someone else might be maintaining a fake copy of that site, and you might be connected to that fake site (via a man in the middle attack, for example), and neither you nor the maintainers of the original site would ever know.

HTTPS does promise security. When you visit that site, and the HTTPS connection works out fine, you can be sure that you are connected to the original site. If someone creates a fake site and you try to connect to it, the browser would notice and refuse the connection.
However, if the maintainers of the original site mess something up on their end, they make themselves look like a fake site. So when you try to connect to it, the browser will have to refuse the connection.

So, for all we know, the site might be a fake, or it might be real but with a messed-up HTTPS configuration.

So you are in the "https everywhere/http nowhere camp". You simply cannot trust any http-only site.

Anyway, this was a specific example. The company don't do online sales. Possibly you could argue that therefore trusting it is as safe as 'security by obscurity' - but I tend towards the view that somewhere you have to take a chance, have faith, place trust based on a hunch, or not just the internet, but life itself becomes all but unusable. You know, who and what the hell do we trust, if we don't take a little chance?