IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New I'm back; this time re "Sectigo"
Anyone hip to their authenticity (with a '.com" appended) ???
Effect: somehow--maybe by a kid-in-basement mimicking same
--have hijacked any attempts to reach "KQED Radio- or TV- Daily Listings" ..since yesterday.

While there are no other OS X glitches anywhere else yet evident I have resisted--sans sand-box(?)--to just go there.
Google has LOTs re 'Sectigo': who appear to be vastly involved in the entire SSL-matters and alleged insecurities therein.

I'd doubt that the [actual]-site could be on a malware list ..with that-much covereage--wouldn't you? So I won't try--direct, anyway.
Am 'I' pwned or is KQED pwned--or neither {sigh}

Safari presents a Warning (going --> addy @ KQED), with a couple drill-downs: (freezes all other operations,
uncopiable, un-screen-copiable etc) as such Attention! messages would.

FIRST: "This website may be impersonating 'www.kqed[com]' to steal your personal or financial information.
You should go back to previous page." [Details] and [Go Back] == only radio-button options.

SECOND Trying [Details] Door:
more boxes featuring Red-icon with a /-thru a-lock,
"This Website Is Not Private"
... website has an expired Certificate ...
.. website misconfigured? your clock set to May 31 [Not, yesterday]

THIRD: (view Cert) Rectangle, box
[Red] Add Trust Extend CA Root
[Red] User Trust RSA Certificate Authority
[Red] Sectigo RSA Extended Validation Secure Server CA

FOURTH: www.kqed[org]
Issued by (last-line ^above^)
Sunday March 21, 2021 ... (Exp. date)
[Red-all] This certificate has an invalid issuer
>(tilted, filled triangle) [Details] == No=op, not a link.

That's it; I presume this is utterly-familiar to you boffins maybe unto a er, Solution?
Local 'Pro' I had OK'd to put on a trial-'Malwarebytes' scanner. It ran ~2min, 3X.. No Comment re (Quit unexpectedly, say, if Outsmarted)
nor ANY summary; I presume that means: No News is what you'd think, butIcouldbeRong.

Thanks for peeping.
I shoulda gone into Animal Husbandry (but ..But: Phlogiston happened), got hooked on this unbridled Curiosity stuff. :-/
Expand Edited by Ashton June 2, 2020, 02:20:04 AM EDT
New Sounds like an update is needed.
As in, Safari needs its root certificates updated (from Apple).

Sectigo are a legit certificate provider, but they are fairly recent because they used to be called Comodo.

Also KQED's website is kqed.org not .com.

Wade.
New Also, thanks.
I was looking for SF/Bay Area content about the demonstrations.

Wade.
New Wade is likely right + couple of things to check
The full chain is
www.kqed.org: from 03/21/2019 to 03/21/2021
Sectigo RSA Extended Validation Secure Server CA: 11/02/2018 - 12/31/2030
USERTrust RSA Certification Authority: 02/01/2010 - 01/18/2038

Check the Mac's keystore for those last two. It is possibly to locally mark certificates as untrusted, so check for that as well.

The few times I tried, I've found Safari upgrades to be tied to OS upgrades. Unless Apple recently changed it's mind, you may have to install missing certs manually.
New Going there:
Keychain Access.app invoked; options:
All Items
Passwords
Secure Notes
My Certificates
Keys
Certificates ... [pity: no bloody Cut/Paste, just stone-knives. bearskins to re-write]

[All Items] 17 items (incl "CUPS Self-Signed Certificate", as 'private key': more below on That] no mention of 'Sectigo'
Also: https://talkingpointsmemo.com/edblog/surveying-the-whirlwind AS: c-73-158-167-161.hsd1.ca.comcast.net

Thence root-login and display of that last "c-73-i58 item ... gets new window:

Icon says: [Certificate; below that: Root] Its bolded header IS ""c-73-i58 item" and last line of Intro sez, This root certificate is not trusted [in Red]
It seems that I can delete this entry.. maybe should but await Instruction. Presumably the other 16 items will continue to operate unremarkably.

If I focus on mentioned CUPS line, Rt-click gets {Sigh} more options:
Copy, Paste, Delete
Export
Get info
Create a Cert w/Cups ditto
Request a Certificate From a Certificate Authority w/ditto-name
Create a Certificate Authority With w/ditto-name

{Particle accelerators are more complex but sans boring, endless drill-downs of arbitrary /opaque intent :-/

Sorry if this is too-much; sorrier if it's not-Enough, eh? n-Thanks for sharing the Excitement of RED-things appearing.
Is it likely that simply Deleting that reddish-LINE can undo the Evil black-listing of kqed?
I'm All Ears, (Ah feels the Power of ... Admin-for ..a couple hours) ;^>

Repeat: Sectigo appears nowhere atop/within any of these texts.
Checking 'Spotlite', for giggles: Nope, That doesn't find any iteration save the obvious refs re this Query,

Over /Out ... need some Southrun Comfort in the coffee, lest lapsing into a crazed .. ...rm -r hda0
New Don't nuke the CUPS certificate
CUPS is Apple's print server setup. It is essentially a tangled set of web services and these days, encryption is enabled by default. Kill the cert and your printer may stop talking to you.

Self-signed means the cert isn't trusted beyond the local computer. That is fine for the use CUPS puts it to.

c-73-158-167-161.hsd1.ca.comcast.net is the Comcast hostname for a residential (dynamic) IP address (73.158.167.161). I can't say why Apple would have it in the keychain but if Comcast is your ISP, then it could be your cable modem.

TPM draws a "Connection not secure" error because the protected page contains unprotected links. That complaint is genuine, it is not due to a certificate problem.

If all else fails and the problem persists, you can manually download and install the cert chain from Sectigo (although, based on your adventures further down, you may have to override Safari's error dialogs.)
Expand Edited by scoenye June 1, 2020, 10:48:51 PM EDT
New Gracias..
Discovered *CUPS back in the Knoppix days, should have recalled that (guess I imagined that, if nuked, it would re-create-self on a reboot). Part-2: but not if it calls the same cert from same place. Duh.
* even managed to make it er, Print {pats ego mildly}.

In any event -- I didn't. :)

As to Box's confirmation of similar conflagration, surely we'll hear soon (?) if this was Vlad-the-Impaler or similar.
Don't care lots about the silly-level inconvenience; next: is someone fabricating an App, should this fix need a bit of individual action by multitudes..

Apreciate the brain-work, again.
New Here's a page that might help, if you can get there.
https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=%2Fapex%2FCom_KnowledgeWeb2Casepagesectigo&popup=false

Note: Few legacy systems, that no longer receive any updates from their vendor, may not trust our SHA-2 Certificates. To enable them to trust our SHA-2 Certificates, we recommend our customers to include the Cross Signed Certificate into the Server Certificate chain. This will enable those legacy systems to trust our SHA-2 Certificates.


Good luck.

Cheers,
Scott.
New Hm: gives important also-too CLUE! (Can't Go-->There, either)
Trying your link gets the SAME-as-'kqed ...' [Read your post after the what-I-See post.]

This Connection Is Not Private

Hope that's a Boolean *Ding *Ding
Dunno if Server Certificate chain is an aspect of the Keychain? (yet)
Clearly from present FULL_Stop I couldn't peep the dread Sectigo universa at all.

Thanks for the tip! ..now Doubly!!
New Something happened with SSL certs yesterday
I started seeing several of our servers' external SSL requests fail due to certificate errors.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New Thanks.. helps out, 'the Loneliness of the Long-distance tyro-Debugger .. a bit :-)
New major cert trust domain issue yesterday
seems like no one could recognize the root store as a valid signer regardless of issuer
"Science is the belief in the ignorance of the experts" – Richard Feynman
New CRL lookup service blowout? The only thing I can think of that would cause widespread mayhem.
New Heh.. that moniker sent moi --> Belgium and a ∆ re (my) access to Sectigo.
Query got link there, http://ocsp.eid.belgium.be, displayed
"Welcome to Verizon OGCM OCSP responder",

That was all, on blank page; a Test kinda thing? (and if my query were bogus, might have said something else??)
BUT! that link got me to: Sectigo! and atop their addy was:
Any Sectigo certificate user needing help due to the recent ADDTrust legacy root expiration should contact Sectigo support.

THIS was that link:
https://sectigo.com/campaign/enterprise-smime-whitepaper?utm_term=%2Bsecurity%20%2Bcertificate&utm_campaign=Sectigo+Enterprise_Secure+Email+Certificates_US+%26+Canada&utm_source=adwords&utm_medium=ppc&hsa_acc=6918550654&hsa_cam=1669010629&hsa_grp=71527348455&hsa_ad=408476097250&hsa_src=g&hsa_tgt=kwd-302057101089&hsa_kw=%2Bsecurity%20%2Bcertificate&hsa_mt=b&hsa_net=adwords&hsa_ver=3&gclid=EAIaIQobChMIueTJ3pTi6QIVgD2tBh3LKgqNEAMYAiAAEgJi6PD_BwE

(I left the post-? stuff there, in event it is revelatory.
But now: trying just the basic addy: WORKS! por moi; guess the ∑-boffins are In Conference.

f.w.i.w.
New That is what is going on
https://www.theregister.com/2020/06/02/sectigo_root_cert_expires/
On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection.


My browser is fairly up-to-date so it used the new chain. You'll have go the manual install route if Apple doesn't issue a root cert update for the older Safaris.
New Excellent--Lots of peripheral info there too; Bonus.
New Still going on.
We're seeing problems with servers at clients and several major providers including Amazon, multiple issues including DigiCert and GlobalSign. Weird intermittent stuff like only one or a few servers in a pool are misconfigured, such as lambda or S3 requests failing 1 out of 50 times (or 50 times in a row over a very brief period only).

Spent most of the day tracking down issues.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New we use a gummint cert internal to ourselves
we have a rash of issues where the root cert is not recognized. Assuming the trust check is broken in browsers/apps. Or hacked
"Science is the belief in the ignorance of the experts" – Richard Feynman
New We didn't have browser issues
But servers were having issues verifying other servers' certs.

Some of it was misconfiguration that was thrust into the light by whatever else is going on.

I'm still not sure how to fix things other than to put retries into our code where possible.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New Sectigo's SHA-1 root + intermediate certs expired.
The fix will be messy as the root cert lists for the OS and each application/service that brings its own will need updating.
New I don't think that's all that happened.
The server certs we're having issues with are GlobalSign and DigiCert, not Sectigo, and the problems are intermittent.

The client OS in question has updated certs and is on OpenSSL 1.1.1.

I manually removed the AddTrust certs but that didn't help either.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New Teapot; Tempest-in: Thanks all! stuff works. The post-mortem amusement awaits..
     I'm back; this time re "Sectigo" - (Ashton) - (21)
         Sounds like an update is needed. - (static)
         Also, thanks. - (static)
         Wade is likely right + couple of things to check - (scoenye) - (3)
             Going there: - (Ashton) - (2)
                 Don't nuke the CUPS certificate - (scoenye) - (1)
                     Gracias.. - (Ashton)
         Here's a page that might help, if you can get there. - (Another Scott) - (1)
             Hm: gives important also-too CLUE! (Can't Go-->There, either) - (Ashton)
         Something happened with SSL certs yesterday - (malraux) - (11)
             Thanks.. helps out, 'the Loneliness of the Long-distance tyro-Debugger .. a bit :-) -NT - (Ashton) - (10)
                 major cert trust domain issue yesterday - (boxley) - (9)
                     CRL lookup service blowout? The only thing I can think of that would cause widespread mayhem. -NT - (scoenye) - (3)
                         Heh.. that moniker sent moi --> Belgium and a ∆ re (my) access to Sectigo. - (Ashton) - (2)
                             That is what is going on - (scoenye) - (1)
                                 Excellent--Lots of peripheral info there too; Bonus. -NT - (Ashton)
                     Still going on. - (malraux) - (4)
                         we use a gummint cert internal to ourselves - (boxley) - (3)
                             We didn't have browser issues - (malraux) - (2)
                                 Sectigo's SHA-1 root + intermediate certs expired. - (scoenye) - (1)
                                     I don't think that's all that happened. - (malraux)
         Teapot; Tempest-in: Thanks all! stuff works. The post-mortem amusement awaits.. -NT - (Ashton)

I suggest a new strategy: let the Wookie win.
188 ms