Silk Road forums

Discussion => Security => Topic started by: CarlJung_Forum on December 17, 2012, 05:22 pm

Title: Privnote says "untrusted"
Post by: CarlJung_Forum on December 17, 2012, 05:22 pm
I never experienced a problem w/privnote b4 (I have 10.6.8 on Mac OS, and GHP is buggy here), but just now got a Dilogue saying "Untrustworthy" certificate probs, etc.. Anyone ever hear of this?

Title: Re: Privnote says "untrusted"
Post by: acider on December 17, 2012, 05:45 pm
That sounds like an SSL certificate problem. Usually it's just expired or something. You shouldn't trust privnote in the first place, that's just one more reason. Find a way to use GPG on your mac....or wait for priv to fix the problem. I suggest the first option.
Title: Re: Privnote says "untrusted"
Post by: blindmelon on December 18, 2012, 03:54 am
just ran into same problem, sent trusted vendor (though i have not communicated w/vendor for a couple months) a shipping related question encrypted, did not bother to include my pub key as i did not think the answer would be sensitive. now i got vendor reply which is a privnote link. i don't know shiite about privnote, tried the link, got the untrusted page, then came to forums, did a quick search and read a little bit and am now even more sketched out about it. didn't bother trying link again, just sent reply w/my pub key asking vendor resend reply encrypted. am i right in thinking it is a security risk for me to use the privnote link to read vendor reply, or am i just making a pest of myself to what has been a good vendor in the past? please reply if you have actual knowledge on the subject, would be happy for some education/info on this.
Title: Re: Privnote says "untrusted"
Post by: Nightcrawler on December 18, 2012, 08:55 am
The site's SSL certificate has expired.  Here are the warnings I get from both Firefox and Chome:

Firefox's Warning
==============

This Connection is Untrusted
     
You have asked Firefox to connect securely to privnote.com, but we can't
confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place. However,
this site's identity can't be verified.
       
What Should I Do?
         
If you usually connect to this site without problems, this error could mean
that someone is trying to impersonate the site, and you shouldn't continue.
           
       
privnote.com uses an invalid security certificate.

The certificate expired on 12/17/2012 01:17 PM. The current time is [snip]

(Error code: sec_error_expired_certificate)


Chrome's Warning
================

The site's security certificate has expired!

You attempted to reach www.privnote.com, but the server presented an expired
certificate. No information is available to indicate whether that certificate
has been compromised since its expiration. This means Google Chrome cannot
guarantee that you are communicating with www.privnote.com and not an
attacker. Your computer's clock is currently set to [date/time snipped]

Does that look right? If not, you should correct the error and refresh this
page.

You should not proceed, especially if you have never seen this warning
before for this site.

[Proceed anyway] [ Back to safety]

Help me understand

When you connect to a secure website, the server hosting that site presents
your browser with something called a "certificate" to verify its identity.
This certificate contains identity information, such as the address of the
website, which is verified by a third party that your computer trusts. By
checking that the address in the certificate matches the address of the
website, it is possible to verify that you are securely communicating with
the website you intended, and not a third party (such as an attacker on your
network).

For a certificate which has not expired, the issuer of that certificate is
responsible for maintaining something called a "revocation list". If a
certificate is ever compromised, the issuer can revoke it by adding it to
the revocation list, and then this certificate will no longer be trusted by
your browser. Revocation status is not required to be maintained for expired
certificates, so while this certificate used to be valid for the website
you're visiting, at this point it is not possible to determine whether the
certificate was compromised and subsequently revoked, or whether it remains
secure. As such it is impossible to tell whether you're communicating with
the legitimate website, or whether the certificate was compromised and is
now in the possession of an attacker with whom you are communicating.

NC