Can anyone get through to the USNO website?
Can anyone get through to the USNO website?
I put this in general discussion because there is no way this can be a Pale Moon problem. For months, I cannot access the USNO website. I've tried in addition to Pale Moon, Basilisk, Firefox, and IE. None of them connect. In PM I get the message:
http://www.usno.navy.mil uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: SEC_ERROR_UNKNOWN_ISSUER)
Can anyone get through to this site? I find it just shocking (should I?) that a government website doesn't know how to configure it properly. And please, don't bring politics into this, it is not due to the government shutdown, this problem has been going on (for me at least) for months.
http://www.usno.navy.mil uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: SEC_ERROR_UNKNOWN_ISSUER)
Can anyone get through to this site? I find it just shocking (should I?) that a government website doesn't know how to configure it properly. And please, don't bring politics into this, it is not due to the government shutdown, this problem has been going on (for me at least) for months.
-
- Moon Magic practitioner
- Posts: 2986
- Joined: 2015-09-26, 04:51
- Location: U.S.
Re: Can anyone get through to the USNO website?
Have you tried installing the additional needed DoD root certificate? I d/l'ed one of those cert a couple of months ago but no longer have it. That's about all I can recall. I don't remember how I found the certificate download link either. Best I can recall, the certificate installed but I still did not get whatever it was I was originally looking for. But a Microsoft Answers page says:
Whether that is the same one I used, I don't know. I do agree it seems strange that you have to take extra steps like this, but I'm sure it has something to do with extra security for military sites even if we don't understand it.You can download the DoD Root Certificates from here:
http://citrixapps.hqda.pentagon.mil/
Win10home(1709), PM33.0.0-portable as of Feb 1, '24
Re: Can anyone get through to the USNO website?
Ironically, I get the same untrusted connection message from that link.NotWorthKnowing wrote:
Have you tried installing the additional needed DoD root certificate?
Re: Can anyone get through to the USNO website?
Funny, because that's an http link, not https.helloimustbegoing wrote:Ironically, I get the same untrusted connection message from that link.NotWorthKnowing wrote:
Have you tried installing the additional needed DoD root certificate?
(and for me it times out, probably because I'm not in the states...)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can anyone get through to the USNO website?
Actually, all it has to do with is the fact that the root certificate is not part of major browsers' trust stores, and that the intermediate (issuing) certificate of the authority handing out the actual certificates isn't cross-signed with a root that is in the trust store.NotWorthKnowing wrote:I'm sure it has something to do with extra security for military sites even if we don't understand it.
Considering the DoD seems to think that adding the root cert to the chain presented to browsers will solve this, I think it has more to do with the DoD not understanding it than us not understanding it
No, having a custom root does not, in any way, improve security.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can anyone get through to the USNO website?
Yeah, I noticed that. But when I click on it, it goes to https. Any reason why?Moonchild wrote:
Funny, because that's an http link, not https.
Re: Can anyone get through to the USNO website?
Probably because that link was posted in 2009, before everything began forcing https.
Win10home(1709), PM33.0.0-portable as of Feb 1, '24
Re: Can anyone get through to the USNO website?
Well now as a result the DoD has a chicken-and-egg problem, then.NotWorthKnowing wrote:Probably because that link was posted in 2009, before everything began forcing https.
You need a root cert to access the site, but the root cert can only be downloaded from an https site which needs that very root cert.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can anyone get through to the USNO website?
Let's hope they get to fixing it soon.USNO
Info
Mail sent.
Site Administrator has been contacted.
A mail has now been sent to the site administrator regarding your questions and/or comments.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Lunatic
- Posts: 400
- Joined: 2015-06-22, 19:48
- Location: USA (North Springfield, Vermont)
- Contact:
Re: Can anyone get through to the USNO website?
I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows. (IIRC) I did with 32-bit Firefox on Windows 7 64-bit, IIRC.
Re: Can anyone get through to the USNO website?
Sorry, but that makes no sense whatsoever. Bitness has no influence on this.RJARRRPCGP wrote:I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Lunatic
- Posts: 400
- Joined: 2015-06-22, 19:48
- Location: USA (North Springfield, Vermont)
- Contact:
Re: Can anyone get through to the USNO website?
I had that issue. It looks like certain certificates simply can't be found with a 32-bit browser. I changed the browser to 64-bit and it's like there was never a certificate problem.Moonchild wrote:Sorry, but that makes no sense whatsoever. Bitness has no influence on this.RJARRRPCGP wrote:I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows.
On Windows, it looks like the 64-bit version is missing stuff for 32-bit browsers. Why is that? Facepalm.....
Re: Can anyone get through to the USNO website?
You can if you add security exception!
Windows 10 pro /64 (version 1809)
PM last/64
PM last/64
Re: Can anyone get through to the USNO website?
That's always the case. But they should fix the site. I don't want to take a chance connecting to a site the Chinese government might have hacked into.badnick wrote:
You can if you add security exception!
Re: Can anyone get through to the USNO website?
I don't think the Chinese government is concerned about this kind of public siteshelloimustbegoing wrote: I don't want to take a chance connecting to a site the Chinese government might have hacked into.
If I live in the US I would be worried about that: https://www.wired.com/2012/03/ff-nsadatacenter/
Windows 10 pro /64 (version 1809)
PM last/64
PM last/64
Re: Can anyone get through to the USNO website?
Based on some of my previous work experience I think part of the reason is a hold over from the early days of the internet. Internal DoD computers have these certificates installed as part of their software image, and classified equipment wouldn't be able to verify the cross-signer on a certificate anyway.Moonchild wrote:Considering the DoD seems to think that adding the root cert to the chain presented to browsers will solve this, I think it has more to do with the DoD not understanding it than us not understanding it
No, having a custom root does not, in any way, improve security.
Re: Can anyone get through to the USNO website?
Oh it absolutely makes sense to have this set up the way they do for an internal infrastructure, but the problem is that part of their infra is accessible to the public, and needs a public-verifiable certificate chain. Also, it won't help for web browsers that do not use a system store but use their own truststore (which is most of them, since relying on a system-provided truststore means vulnerability to malware manipulating a truststore outside of the browser).hitokage wrote: Internal DoD computers have these certificates installed as part of their software image
If you mean equipment on a non-public network segment, then yes you're correct, but that doesn't matter -- having the issuer cert cross-signed doesn't break the trust chain for what is already installed on the systems as part of the software image, as you said, so those certificates will happily remain accepted by proprietary software in use.hitokage wrote:classified equipment wouldn't be able to verify the cross-signer on a certificate anyway.
It does, however, provide a public-verifiable trust chain to a different root that is accepted by browsers, which is required for public portals.
I've had a brief back-and-forth with the responsible person for USNO, explaining what needs to happen to fix this (there's actually 4 different ways this can be solved). Hopefully it'll be properly escalated and fixed soon.
The problem is that all DoD websites by policy have been migrated to https without having a publically-accepted cert issuance infrastructure in place, so it goes way beyond just USNO; it affects all DoD public websites.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can anyone get through to the USNO website?
I did say it was a hold over from the early days of the internet, so mid '90s and Netscape Navigator version 2 and 3.Moonchild wrote:since relying on a system-provided truststore means vulnerability to malware manipulating a truststore outside of the browser).
I think my thought process was going on the line that secure stuff couldn't contact and verify the cross-signer, so they would still be installing certificates. They may also be trying to keep as much to themselves as possible - even for publicly accessible websites. The U.S. DoD did create what became the internet - they may think they should be in the list of trusted CAs.Moonchild wrote:having the issuer cert cross-signed doesn't break the trust chain for what is already installed on the systems as part of the software image
It has been a problem for a really long time. I seem to recall this coming up before, but it was quite possibly on a different forum as it affects other browsers.Moonchild wrote:it goes way beyond just USNO; it affects all DoD public websites.
Re: Can anyone get through to the USNO website?
Then they need to go through the proper channels and get themselves audited as a CA. It's not something that "just happens" or "is just accepted because of reputation or status".hitokage wrote:they may think they should be in the list of trusted CAs.
The CA/B forum is a good start for that if they want to go that route. I think though that they might not want to do this as a CA audit requires them to disclose a lot of their internal operations which the DoD is likely not willing to do (since they are going to issue certs for their organization only and not be a public CA). That's why I suggested cross-signing to them: get an accepted issuer/trusted root to sign their intermediate cert and vouch for them as a CA on the public Internet.
In the meantime you can install the root certificates yourself. The USNO Public Affairs Officer indicated the following:
You may also wish to install the most recent U.S. Government Certificate
Authorities. Here's a link to a non-DoD website that can guide you through
the process:
<https://knowledge.digicert.com/solution/SO5198.html>.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite