Classic Mac OS Software (Discussions on Applications) > Browsers, FTP, & Remote Control

Certificates in Icab & Classilla

(1/10) > >>

petermyersaus:
Icab and Classilla waste my time with messages such as

"The Certificate of the Server is not valid" (iCab)

"Unable to verify the identity of [webpage] as a trusted site" (Classilla).

"[browser] does not have the Certificate for [webpage]"

In each case, I have to click a response box. Sometimes there are 2 or 3 such messages for a particular webpage.

Have I got these browsers set up wrongly? But I can't see anything in the Preferences which would cause this.

Any tips?

GaryN:
Regarding Classilla:  https://code.google.com/archive/p/classilla/wikis/AAATheFAQ.wiki

From the above:
*******************************
Does Classilla support TLS or SSL?

Classilla supports TLSv1, SSLv2 and SSLv3. Of the three, TLS is the most preferred and highest level of security, while SSL is an older encryption technology predating TLS. SSLv2 is no longer secure and should no longer be used; it is disabled by default starting in Classilla 9.3.3 and will be removed completely in a future version. SSLv3 is still available but is considered deprecated due to intrinsic flaws in the protocol and will be disabled by default in a future version. In addition, "export-only" low-key-length symmetric ciphers are also considered deprecated and will be disabled by default in a future version.

Classilla does support TLSv1, but versions prior to 9.3.3 did not support certain features which may cause sites to renegotiate SSLv3. In 9.3.3, support for Server Name Indication (SNI) was added, which improves verification of certain secure websites.

Classilla's encryption package does not currently include higher performance elliptic curve support, but does support regular Diffie-Hellman exchange for forward secrecy. For example, DHE-RSA-AES256-SHA is fully supported.

Some secure websites give me an error -8182.

These sites use SHA-256 certificates for TLS. This support was added in Classilla 9.3.3.

Some secure websites give me a dialogue box saying the site could not be verified.

Classilla allows you to override certain checks on certificate identity when you know or trust that the network and site you're connecting to have not been compromised. For example, if the domain name is slightly different, or the certificate is recently expired, you may receive this box but the certificate may still be perfectly safe to accept temporarily. You receive this box if the certificate name differs, the certificate is expired, it is signed by a certificate authority you don't currently accept, or, starting in 9.3.3, if the certificate is signed with an algorithm that Classilla does not yet understand.

With the added support in 9.3.3 and later versions, this situation should be much less common. If it occurs, you should examine the certificate carefully and decide what to do and how long you want the exception to last. There is no good rule of thumb on when this is safe to do, although a site that used to work and suddenly fails to work, especially on a different network, should be considered an indication your connection is not safe. Remember: if you override a certificate check, you are telling Classilla that verification is not required or possible, which may cause you to send information to an unauthorized third party which is masquerading as the trusted site. Be cautious when approving these requests.

**************************************

icab issues are similar.

These are old browsers that seldom get updated to the ever-changing new world. There are many new security protocols in use today that did not even exist when these were current. Some certificate updates are possible, others not so much. The internet is in many ways like a public toilet…there are many nasty things lurking that you shouldn't touch, and some folks are doing their level best to put those things on you.

Bottom line, security alerts from old browsers go with the territory. How many of them you get is directly related to how far off the beaten path you go. If you feel they're "wasting your time", either ignore them or use a more up-to-date system on the net. Personally, I'd recommend the latter.

mrhappy:

--- Quote from: GaryN on February 04, 2016, 11:08:30 PM --- The internet is in many ways like a public toilet

--- End quote ---

And don't forget to flush!! ;D ;D ;D

Nice explanation Gary!

Protools5LEGuy:
We have a problem with the old 9.2.3 version included in Complete DAW Restore with Cubase VST/32 with Pre-Authorized Virtual Instuments & FX.

It can't download 9.3.3 from the sourcecode servers...

Let's see what happens when downloading from our servers.

Protools5LEGuy:
Sorry, but I were on a non OS9 machine

Navigation

[0] Message Index

[#] Next page

Go to full version