Domain avisynth.nl unavailable via HTTPS

[LigH]

Who is actually the webmaster of the avisynth.nl domain?

The forum software of the German doom9/Gleitz board converts all HTTP links to HTTPS; so all links to https://avisynth.nl/index.php etc. lead to an outdated certificate. Some browsers warn of an insecure connection and discourage an exception, others display an error page in Dutch.

Please forward and notify the responsible person.

[wonkey_monkey]

Quote:

The forum software of the German doom9/Gleitz board converts all HTTP links to HTTPS

Wouldn't whoever made that decision, arguably, be the responsible person?

[LigH]

The admin of the Gleitz forum is not the admin of avisynth.nl, though. And links in the Gleitz forum are just one possible example of a reason why someone might try to contact avisynth.nl via HTTPS.

[ChaosKing]

So Gleitz "excludes" ~70% of the web just like that? There are tons of http only websites out there

[LigH]

More and more websites switch to secure transport protocols on their own, instead. Like more and more software does not care anymore about compatibility with obsolete operating systems.

I only recommend the support of modern features, without a demand, for the advantage of the privacy-aware user, assuming that this support may be within the intentions of the domain owner.

Now we are blamed for not being conservative. Why do you protect a flaw? Updating to a valid certificate won't lock out insecure connections.

[LoRd_MuldeR]

Quote:

Originally Posted by LigH

all links to https://avisynth.nl/index.php etc. lead to an outdated certificate. Some browsers warn of an insecure connection and discourage an exception, others display an error page in Dutch.

The certificate presented by the server is perfectly valid, but just doesn't match the domain "avisynth.nl", which is why it will be rejected by the web-browser – for good reason!

This happens, e.g., when the same HTTP server is used to serve multiple domains, but the admin missed to configure a matching certificate for each of those domains.

(The same certificate can match different domains – either by using wildcard DNS names or by writing several different DNS names into the Subject Alternative Name extension – but here it doesn't work out)

[LigH]

This happens for several domains, some I recently contacted were able to implement acceptable certificates (including my own hoster). "Let's Encrypt" appears to be involved increasingly.

[StainlessS]

I presume that this is related:- SSL Report: forum.doom9.org (213.112.23.71)
https://www.ssllabs.com/ssltest/anal...orum.doom9.org

I always have problem on Android 2.3.7 (GingerBread) trying to connect to the D9. [EDIT: Just gotta change https to http]
Just tried with XP IE8, same.
Both in red in above SSL report.

Also, think that Google always provides links with https nowadays.

[TheFluff]

Quote:

Originally Posted by StainlessS

I presume that this is related:- SSL Report: forum.doom9.org (213.112.23.71)
https://www.ssllabs.com/ssltest/anal...orum.doom9.org

I always have problem on Android 2.3.7 (GingerBread) trying to connect to the D9. [EDIT: Just gotta change https to http]
Just tried with XP IE8, same.
Both in red in above SSL report.

It's not related, except in that both issues are SSL/TLS connection failures. The reason you can't connect with Android 2.3.7 or IE on Windows XP is that neither supports any cipher suites that the D9 server is configured to accept. One of the main issues with TLS/SSL is that it's been around for so long that there are a bunch of very old and now-insecure crypto options available for backwards compatibility reasons, but the D9 server is well-configured and only allows connections with reasonably modern ciphersuites, so that a user cannot be fooled into thinking the connection is secure when it actually might be easily breakable. Android 2.3.7 and IE8 on XP (Chrome on XP is fine because it bundles its own crypto libraries instead of relying on the system's) at least support TLS 1.0 so they're just barely capable of providing moderately secure communication... for now. However, PCI DSS (Payment Card Industry Data Security Standard - requirements for payment processing business that handle credit card info) prohibits the use of TLS 1.0 from June 30, 2018, so it's not going to stick around on a lot of big sites for much longer.

The issue with avisynth.nl is completely unrelated; it simply doesn't have a valid SSL certificate for that domain.

The point of SSL is not only to encrypt traffic so you don't yell out your passwords and credit card numbers so loudly that every single bystander (including anyone mildly interested on the free wifi you're using) can hear it, but also to ensure you know who you're actually talking to. A very common ransomware/virus/malware infection vector these days is clicking some link that looks like it's a familiar site but in fact will take you somewhere that looks legit but steals your data and/or uses exploits to install malware. SSL certificates are therefore completely pointless if they don't match the domain you're connecting to - there's no point in encrypting the traffic if you're talking directly to someone who is interested in eavesdropping on it, after all.

There is no reason for anything except the most trivial static pages on the open internet to use unencrypted HTTP today. It's very hard to overstate just how incredibly vulnerable anything running on plain HTTP is to all kinds of shenanigans, and sending passwords in cleartext over the internet in 2017 is basically ensuring they'll get into one of the gigantic username/password dumps floating around. The only reason you can get away with http on sites like d9 is that they're so obscure that it is unlikely that someone will bother to actually attack them.

[FranceBB]

@thefluff and @StainlesS... true. (little ot) Chrome hasn't been updated for quite some time on XP, 'cause Google support ended and has SSL issues with newer certificates. On the other hand, Firefox ESR is supposed to be supported (and updated) at least 'till middle 2018 and its own certificate manager handles pretty much everything. For instance, if you try to access Nyaa.si (popular anime torrent website) using HTTPS on Chrome, it'll end up with an error, while Firefox will load the page flawlessly. (End OT)

[sl1pkn07]

nyaa.si works for me in chrome/ium

[FranceBB]

Quote:

Originally Posted by sl1pkn07

nyaa.si works for me in chrome/ium

On Windows7 and later, yes, on Windows XP nope. Picture

Anyway, the "problem" with avisynth.nl is different.