Security problem with Ravensdown website?

Forums › IT Pro and developers › Security problem with Ravensdown website?

mattwnz

20141 posts

Uber Geek

#198555 13-Jul-2016 18:58

I am trying to access the login page of this website https://www.myravensdown.co.nz/ . But it comes up with security error in Firefox. But it doesn't in Chrome or Edge. Anyone know if there is anything on this website that could be causing security error in Firefox. I have also tried it on multiple computers. When speaking to the company, they said they had talked to their website people who said it was fine and secure. But they had also had other people who had contacted them .

Looking at it in more depth, the certificate looks to have a probelm

https://www.myravensdown.co.nz/ Peer's Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Is this a problem that the website people they use should know about and fix?

TIA

ethanbmnz

138 posts

Master Geek

#1592207 13-Jul-2016 19:04

A few years ago e-asTTle did the same thing. I just used to add it as a security exception and the problem went away.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1592209 13-Jul-2016 19:06

The error is "Peer's Certificate issuer is not recognized". It's probably that Firefox doesn't trust the certificate authority the issued the certificate but Chrome and Edge do.

mattwnz

20141 posts

Uber Geek

#1592212 13-Jul-2016 19:08

timmmay:

The error is "Peer's Certificate issuer is not recognized". It's probably that Firefox doesn't trust the certificate authority the issued the certificate but Chrome and Edge do.

Thanks, that is what I suspected from the error. Odd they wouldn't use a mainstream certificate company, as they are a pretty large well known NZ company and brand.

kol

11 posts

Geek

Trusted

Vocus

#1592213 13-Jul-2016 19:09

Looks like they are missing the intermediate certificate/chain.

https://www.sslshopper.com/ssl-checker.html#hostname=myravensdown.co.nz
https://sslanalyzer.comodoca.com/?url=myravensdown.co.nz

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1592214 13-Jul-2016 19:09

Ok, the problem is the intermediate certificate authority between the root and this website isn't properly chained to the website's SSL certificate. It's not valid set up like this, but it's an indication of misconfiguration not of any particular security issue. When I set up the certificate on my server I had to chain the CA cert to my https cert to prevent this type of thing. Mozilla is more strict about this kind of thing than some other browsers.

Information here and here.

toyonut

1508 posts

Uber Geek

#1592226 13-Jul-2016 20:04

Oddly, Chrome and Edge are happy with it, just Firefox is being picky about it. Looks like it is just the intermediates not being installed properly as someone pointed out above.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

mattwnz

20141 posts

Uber Geek

#1597424 23-Jul-2016 19:39

So I contacted them again about the problem, and told them the fault was with the secure certificates configuration. However their website person say it is a problem with firefox, and that if I update firefox and totally reset it, it will then not display the error. I presume this means that they have fixed it and my browser is caching the old version. I have tried reseting firefox, but it still displays the error for me in my browser. So I am wondering if Spark is caching it. Is anyone able to please check whether the problem still occurs for them?

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

jamesrt

1609 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1597447 23-Jul-2016 20:17

mattwnz: Is anyone able to please check whether the problem still occurs for them?

It is a problem for me (Orcon UFB, FF47):

Your connection is not secure

The owner of www.myravensdown.co.nz has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1597449 23-Jul-2016 20:19

Unfortunately most web developers are just that, and do not really know much about the SSL or security side of things at all.

I recall I had to get some stuff from the cert issuer and upload it thru the cpanel SSL cert configuring thing to get it not erroring in firefox and passing ssl labs when I last bothered with a SSL cert. Was documented well and not difficult.

Richard rich.ms

itxtme

2102 posts

Uber Geek

#1597492 23-Jul-2016 21:59

mattwnz:

So I contacted them again about the problem, and told them the fault was with the secure certificates configuration. However their website person say it is a problem with firefox, and that if I update firefox and totally reset it, it will then not display the error. I presume this means that they have fixed it and my browser is caching the old version. I have tried reseting firefox, but it still displays the error for me in my browser. So I am wondering if Spark is caching it. Is anyone able to please check whether the problem still occurs for them?

Use an SSL checker like this to rule out your browser. Issue still exists. I run SSL certs on several machines and did this by installing the cert in the wrong line under Apache, completely my mistake, and easily fixed.

mattwnz

20141 posts

Uber Geek

#1597525 23-Jul-2016 23:50

richms:

Unfortunately most web developers are just that, and do not really know much about the SSL or security side of things at all.

I recall I had to get some stuff from the cert issuer and upload it thru the cpanel SSL cert configuring thing to get it not erroring in firefox and passing ssl labs when I last bothered with a SSL cert. Was documented well and not difficult.

Just looking at the position of the person who replied, it was their IT Web Systems Analyst . So for that sort of position, you would hope they would know all about SSL. It is just annoying when they try to blame the customer and their computer, and they claim that the problem isn't at their end.

mattwnz

20141 posts

Uber Geek

#1597530 24-Jul-2016 00:16

itxtme:

mattwnz:

So I contacted them again about the problem, and told them the fault was with the secure certificates configuration. However their website person say it is a problem with firefox, and that if I update firefox and totally reset it, it will then not display the error. I presume this means that they have fixed it and my browser is caching the old version. I have tried reseting firefox, but it still displays the error for me in my browser. So I am wondering if Spark is caching it. Is anyone able to please check whether the problem still occurs for them?

Use an SSL checker like this to rule out your browser. Issue still exists. I run SSL certs on several machines and did this by installing the cert in the wrong line under Apache, completely my mistake, and easily fixed.

Thanks, I will let them know they still have a problem. I just can't really understand when I pointed out the problem, they are still blaming it on my computer and Firefox as having the problem. They seem to think that because IE and Chrome don't show any error, that the fault is Firefox.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1597548 24-Jul-2016 07:56

I'd not bother with them, if they're too thick to understand it and brush you off. Maybe send them the SSL testing website link, but that's it. Stupid gets what stupid deserves. It's not a security problem, it's an accessibility problem.