Certificate issue on a website Topic is solved

The place to report Pale Moon specific bugs on Linux and other operating systems.
Post Reply
nero355
Newbie
Newbie
Posts: 6
Joined: 2018-01-15, 18:20

Certificate issue on a website

Post by nero355 » 2020-09-25, 15:15

Hi guys,

I just found out that https://www.zwitserleven.nl/ shows a error related to the https certificate.
What could be the cause for this ?
www.zwitserleven.nl uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported. (Error code: SEC_ERROR_UNKNOWN_ISSUER)
How I found out about this : Firefox users have the same issue! :D

I am using Pale Moon for Ubuntu 20.04 LTS as recommended by the website : https://software.opensuse.org/download. ... e=palemoon

Thank you in advance & Keep up the good work! :thumbup: 8-) :mrgreen:

User avatar
RealityRipple
Fanatic
Fanatic
Posts: 220
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Certificate issue on a website

Post by RealityRipple » 2020-09-25, 16:07

Site uses a self-signed certificate. No authority. No root. That's about like me saying "you can trust me because I just said you could".

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1538
Joined: 2015-09-30, 23:02
Location: uk.

Re: Certificate issue on a website

Post by Moonraker » 2020-09-25, 17:25

yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.
Xenial puppy linux 32-bit.

Pale moon 28.9.3

User avatar
RealityRipple
Fanatic
Fanatic
Posts: 220
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Certificate issue on a website

Post by RealityRipple » 2020-09-25, 18:33

Moonraker wrote:
2020-09-25, 17:25
yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.
In Pale Moon's case, NSS inclusion and auditing rules and associated documents and regulations.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28139
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Certificate issue on a website

Post by Moonchild » 2020-09-26, 07:24

Moonraker wrote:
2020-09-25, 17:25
yes but how can you confirm the signing authority can be trusted also.?
Trust is a strange animal.
You may want to read up on certificate issuance, trust chains and trusted root certificates.

And contrary to what RealityRipple said the certificate isn't self-signed (that would be bad for an insurance provider!) but rather they have an incomplete certificate chain in their server configuration, missing one or more intermediate certificates.
To fix this they need to include the following two certificates in their server configuration:
KPN PKIoverheid Server CA 2020
Fingerprint SHA256: 592e1a2f0a34284b0e26fcb4fed22af859848eee8822adb61b42dab47a2ffdc2
Pin SHA256: Yao+RgzIlYNhXc65ch9IpKzSRFUSiL01Et8c6sN4XLU=
RSA 4096 bits (e 65537) / SHA256withRSA
Staat der Nederlanden Domein Server CA 2020
Fingerprint SHA256: 0da914fb7125f6e644eb7aa261de9eb809dc7f925b6b2a7d8a7edd8736398b5b
Pin SHA256: N9+YluTCUa/HTXc60QxjUReBLpRniAkIK2N84DhgmW4=
RSA 4096 bits (e 65537) / SHA256withRSA
While they are there they should also generate their own ECDH parameters since they are currently using public ones that makes them at risk of broken security if the public configuration key gets cracked.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

nero355
Newbie
Newbie
Posts: 6
Joined: 2018-01-15, 18:20

Re: Certificate issue on a website

Post by nero355 » 2020-09-26, 17:17

After some further investigation that seems to be the case indeed @Moonchild :)

Just for my own curiosity : Can you tell me if Pale Moon uses a own library of CA's or the one included in the OS it's running on ?

Thank you in advance!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28139
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Certificate issue on a website

Post by Moonchild » 2020-09-26, 18:38

By default it uses its own trust anchors from NSS.

If required, you -can- enable reading from the Windows trust store which is usually only needed in enterprise environments, by setting security.enterprise_roots.enabled to true in about:config. Please note that if you don't need it, you should not enable this because it offers a potential attack surface for malware.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Post Reply