So I had done some tests with “real” certificates, so I used the Comodo free SSL certificate for 90 days offer. I put some TLSA records in the dns for nohats.ca, and this allowed me to test the firefox plugin I was testing that deals with CA backed and DNSSEC backed certificates.
So of course, the SSL certificate expired, and I did not want to pay $99 to renew it. So I replaced it with a self-signed certificate and updated the TLSA record.
Then neither firefox or chrome would connect to my website. They both threw an error about the certification being invalid. And they both refused to give me the override option. They knew better then me. This is exactly what you get when the publisher of the certificate is not in control of telling you if the new certificate is valid. If these browsers had confirmed via DNS and DNSSEC that this is in fact the new real certificate, they wouldn’t have had to block my access (or witheld the override option from me)
The way to fix this, is to delete all the browser history. Then it will have forgotten the pinned certificate and it will re-ask you with the familiar “untrusted, do you want to continue anyway” dialog. I had to spend about 10 minutes to figure out how to do this. There go your website visitors. Both Chrome and Firefox acted in this way.
Expect many such false positives when you are dealing with certificate pinning, such as TACK
Ironically, many of you will have to do exactly this, before you can read this blog entry. How long did it take you?
On an IE9 instance that I’d previously visited your blog-o-blag from, I just got the standard “eww self-signed” warning.
And yes, you can point and laugh at me for using IE :)
It just meant you had not visited this site before two days ago, when the other SSL cert was here. Or that IE does not do pinning.
I did not do exactly that – I just started a different browser (Safari) that I had not used to visit your site before. Takes about 3 seconds. Of course, in my Chrome your site is still inaccessible, for now.
Alternatively, I could read the post just fine in Google Reader – except for the flattr badge :)
Sounds like an implementation issue, or possibly one of useability.
Also, had no problem reading this, am using http:// :)
My point is that the implementation issue is a design flaw. The publisher of a certificate should be the entity to confirm its validity, as only they will have up to date information. We got confused by Certificate Agencies vouching for us, and became accepting of this mediator. Now people want to add a self-service option to that with pinning, that puts the decision on whether a certificate is valid or not to the viewer (or a collective of viewers) who can and will be wrong. The entity to ask is the publisher of the certificate, and the most up to date place to ask it is where you also asked where the site was to begin with, in DNS(SEC)
I was unable to access your site in Chrome, but in Firefox I was able to choose “I understand the risks” which I’ve had to do often (especially since I never permanently store the exception).
Isn’t DNSSEC supposed to fix this? I have to admit I have not yet done enough research on DNSSEC to understand it yet.
Luckily Firefox let me in. Chrome did not.
I use StartSSL for all my free certificates that I want to have widespread support for. I don’t think people personally care much whether you have a “Class 1” or “Class 2” or whatever certificate. They just want them validated without error.