Issue loading my site in https - ssl

recently, I ordered a SSL certificate for my website. Prior to that, everything worked fine for me, the website was fast and I had no issue. Since the certificate has been installed by OVH... Well... Things changed... The issue is that not everybody has the same behaviour as me. When I go on "https://www.areaprog.com/" with different browsers, here is what I get:
Chrome:
"Your connection is not private
Attackers might be trying to steal your information from
www.areaprog.com (for example, passwords, messages or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID"
Firefox:
"This connection is untrusted
You have asked Firefox to connect securely to www.areaprog.com, but we
can't confirm that your connection is secure.
Technical details:
www.areaprog.com uses an invalid security certificate.
The certificate is only valid for ssl2.ovh.net
(Error code: ssl_error_bad_cert_domain)"
Internet explorer:
"The security certificate presented by this website was issued for a
different website's address.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."
I asked to OVH and everything is fine for them and apparently, it is also the case for other people out there (I asked around to see if I was the only one), but other people also experiences the same issue...
Moreover, Firebug keeps on saying:
"This site makes use of a SHA-1 Certificate; it's recommended you use
certificates with signature algorithms that use hash functions
stronger than SHA-1"
Besides, for people who are experiencing this issue, well, the site is extremely slow. For me, a simple page takes more than 20 seconds to load...
Does some of you have the same issue than me and does someone have an idea of what to say to OVH who keeps telling me that everything is OK?
Thanks a lot

Related

Client Side SSL Certification error received on one computer, but not another?

I'm hoping for some help with troubleshooting a frequently received error on my computer. I often try to navigate to very common websites such as https://illinoiscomptroller.gov. This is fine on my work computer, I receive no error. On my laptop at home, I get the NET::ERR_CERT_REVOKED error.
I'm not really all that experienced in troubleshooting these types of errors, but I have been getting this message for so long and would really appreciate some help resolving this issue. Every time I google for an answer, most sources suggest there is really an invalid cert, but I know this isn't true. Other answers point to an incorrectly installed cert, but again, I know this isn't the case.
I think the issue lies somewhere in my configuration on my machine. I don't have any fancy firewall set up. What I have noticed is if I click on the "Not Secure" message in the URL part of the Chrome browser, it tells me the cert was revoked by one source.
On my work computer, for the same website it says it has a valid SSL cert through DigiCert. I looked at my Internet Options SSL Cert providers and DigiCert is on there? Any ideas what I can do to figure this out?

Recent https (SSL) addition, getting site cannot provide secure connection error page

Recently our website went from http to https. I, and others, are randomly getting "The Site Can't Provide a Secure Connection" page. Upon refresh, the page loads just fine. Why are we getting this initial page randomly?
FYI... We have http to https redirects in place.
Impossible to say without more details, but some things I can suggest are:
You have multiple servers and some are configured correctly and some incorrectly.
You are not including the full certificate chain. Sometimes your browser has the missing intermediary cached and sometimes not (see this answer for more info here: https://serverfault.com/questions/826100/ca-certificate-trouble-with-squid-on-centos7/826321#826321)
A bug in browser/software. I had this issue on Chrome when using Apache HTTP/2. Never did figure it out but a Chrome update fixed it.
Run https://www.ssllabs.com/ssltest/ on your site to confirm not a problem with your https set up and, if that doesn't work, or you don't understand the results it gives, then update your question with more details (what Server and Browser you are using and what version, if you have any proxy in place between your Browser and the site and, ideally the website name) if you want people to help you.
Also be aware this is a programming site and some people don't like these questions here and will suggest other Stack Exchange sites but honestly don't know where this question is best placed: serverfault.com maybe, but is for professional SysAdmins only, Unix and Linux seems a little generic (not even sure if you are using a Linux webserver!), Webmasters is more for content and SEO questions, Information and Security is more for theoretical SSL/TLS questions...

Local site testing with BrowserStack and self-signed certificates

I have started looking into testing our site with BrowserStack.
However, I'm having issues with live-testing (as opposed to automated testing with Selenium, which mostly works fine) a site we're developing as we're serving it with a self-signed certificate.
Manually approving the certificate doesn't bother me as much as the fact that some Ajax request are failing (at least on IE10) due to security issues and this makes it impossible to actually manually test the site.
An acceptable solution would be to somehow add our self-signed cert. into the list of trusted root CAs. However, I haven't found out how to upload files into the BrowserStack test environment (not sure if that's even possible, really).
Any ideas ?
I contacted BrowserStack about this issue, and their formal response is:
"We currently do not support installing client certificates on the remote machines. However, this is on our list, and we’ll keep you posted."
Hopefully this issues will be resolved soon and I'll post a different answer here.
April 2021 update:
BrowserStack has shipped a toggle to trust self-signed certs.
It is available on iOS and Android devices for now.
When it happens, open the "Network" tab, and open in a new tab the request which is failing. If it is "just" a certificate issue, you would then be able to bypass the warning. Then, your request should work correctly.
When the "Cannot Verify Server Identity" dialogue pops up, click details, then 'Trust'. This will work if all calls are to the same domain as the website.

Yellow Triangle Message

I am the owner of myhomeworkhelp.com and we had taken SSL certificate for our business website. We are getting Yellow Triangle Messages in all webpages, but the main problem is if you will open my website on Firefox, Torrent and IE it will not give Yellow Triangle Message but when we come on Chrome, it gives Yellow Triangle Message. We tried to find a solution for this. We had talked hosting company, SSL provider and our website developer, but every one saying all is fine. Can you help me to fix this issue?
Let me know if you have question
Your certificate uses old unsafe security setting (SHA1 signature) and Google Chrome decided to warn about it since Jan 1.
Ask for a new SSL certificate with SHA256 signature.
you may find the following useful:
https://support.servertastic.com/the-site-is-using-outdated-security-settings-that-may-prevent-future-versions-of-chrome-from-being-able-to-safely-access-it/
&
https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
On chrome its just a warning to let you know that they are transitioning to SHA-2 ( SHA256 ) support and notifying about the older less secure methods used by your existing SHA1 cert.
All is currently fine but you may want to move stuff over to 256 to remove the triangle on chrome, it will probably happen on other browsers soon as well. :)

Adobe AIR-Is a self signed app OK?

I want to develop an app using Adobe AIR. But I have to sign it using a code signing certificate. I don't wan to buy a code signing certificate. Would it be OK if I distribute my app with a self-signed certificate?
The only difference between using a real certificate and a self-signed certificate is what the user sees in the initial installation dialog. With a real certificated they'll see a yellow "!" and the app will shown to be of "KNOWN" origin, and your company name will be shown. With a self-signed cert, there will be a red "?", and it will say the app's publisher is "UNKNOWN". You can see samples of the two dialogs at the very bottom of this page.
So realistically, it comes down to whether you're okay with people seeing a scary warning at install time. If you're only offering up the apps as a "use at your own risk" thing, or the app will be used mainly by a small group of people who already know who you are (an internal company app, e.g.) that may not be an issue, but if you hope for random internet people to come use your app and trust it, a cert may be a good idea.
That depends on your definition of "OK", but most likely no.
A self-signed certificate will not have been issued by a trusted CA, and your certificate will be considered untrusted by the client. I don't think (but have not tested) that the user is actively prevented from installing an app with an untrusted certificate, but they would at least get a warning, and that doesn't give your user a good first impression of your app.
If it's just for yourself or for a small group of people who know and trust you, then a self-signed certificate is most likely not a problem, but if you're distributing it to the world, you will almost certainly prefer a proper certificate.
I have recently looked into developing an Air App for the company to distribute to customers. On OSX Mavericks - on my mac and my designer's mac a red warning signs pops up stating that we are an unknown publisher - This was using the self signed certificate. The whole process was clunky with the installation, I had to verify that we were legitimate, as this warning sign inferred we were a looking to distribute something underhand.
From a marketing perspective this looked terrible.
In addition to this I managed to find someone to test the whole process of downloading the air app with a self signed cert on windows with an 'average' amount IT skills and this is what they said:
"Nah I didn't download it... it looked like it wanted to put a virus on my computer." And that is where download ended.
Currently we are looking to get some seal of trust on the application for distribution purposes.
Verisign, Thawte look interesting, although costly.
http://www.symantec.com/code-signing/adobe-air
https://www.thawte.com/code-signing/
Or read this page for more information
http://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0.html