Topic: SSL certificate for secure connections (https) is invalid/broken with Chrome+XP

[Corak]

Hi Ian!
Tried to enter your site with latest chrome versions on Windows XP. But it doesnt allow to enter site with this browser and system.


It reports about:
net::ERR_CERT_AUTHORITY_INVALID
net::ERR_CERT_COMMON_NAME_INVALID
Problem both in: https://www.un4seen.com/ and https://support.xmplay.com/
Problem happens only on Windows XP and latest (2015 and so on) Chromimum based browsers.
On XP Works normally on http and other browsers. Google also resends to https links, when seaching some.

I found some solutions in analogic situation with "Lets Encrypt" SSL certificate provider. They made XP support in their latest ssl protocol.
https://community.letsencrypt.org/t/upcoming-intermediate-changes/13106
https://letsencrypt.org/certificates/
But this not affected the ones who are still not updated their ssl on server, and other protocol providers who didn't made support.

You are using now:
COMODO ECC Domain Validation Secure Server CA 2 (sni40810.cloudflaressl.com) for
https://support.xmplay.com/
and some personal "uk.un4seen.com" for 
https://www.un4seen.com/
both have the same compatiblity issue

[saga]

I don't think the un4seen site is actually "supposed" to support HTTPS since the main site offers a self-signed certificate (but of course it would be nice if HTTPS was available there, e.g. through Let's Encrypt). The error on the support site (which afaik is not run by Ian, so he probably cannot do anything about that) indicates that Windows XP probably lacks the required root certificate. Chrome uses Windows XP's root certificate directory, so you either have to install the correct root certificate, or upgrade to an actually supported operating system, or switch to Firefox which brings its own, up-to-date list of trusted root certificate list.
Either way, Let's Encrypt's announcement to support Windows XP has nothing to do with any of that, because in their case their certificates contained a directive which was not understood by Windows XP's certificate validation procedure, but that has nothing to do with untrusted root certificates.

[saga]

With the current browser generation pushing forward warnings about non-encrypted websites, especially those containing login forms, maybe it's time to consider enabling HTTPS for un4seen.com at last?

[Ian @ un4seen]

Yeah, the new warning that appears in the forum login form is a bit annoying. I'll look into it.

[Ian @ un4seen]

The entire website should now be available via HTTPS, but it isn't the default currently, ie. you won't be automatically redirected from "http:" to "https:". Let me know if you encounter any problems.

I will look into making HTTPS the default for the forum, or possibly only when using the login or registration forms. For now, the quick login form is removed from the forum pages unless HTTPS is used.

[saga]

Great! As a next step, a Strict-Transport-Security HTTP header should probably be transmitted to automatically redirect people who previously visited the HTTPS version of the site from HTTP to HTTPS whenver they click on a HTTP link.
If you do not want to enforce HTTPS for the entire site, I would at least strongly suggest to also adjust the forum links in the menu on the left side to point to the HTTPS version, no matter if the user is currently on HTTP or HTTPS.

[WingZero]

or possibly only when using the login or registration forms.

I'm coming out of hiding just to point out that that would be useless. An attacker could just MITM the page that points to the forms so that you never get to the secure version in the first place.