TLS mechanism

I’m still finding it impossible to get secure connection to the site with Safari and Firefox. Advice from Firefox info is

Some websites try using out-dated (no longer secure) TLS mechanisms in an attempt to secure your connection. Firefox protects you by preventing navigation to such sites if there is a problem in securely establishing a connection. When this happens, you will see an error page with the option to report the error to Mozilla.

If you experience this problem, contact the owners of the website and ask them to update their TLS version to a version that is still current and still secure.

Can you tell me whether this could have any bearing on the problem I’m having? So far I have not encountered another site where I have this trouble.

Thanks.

For me, on both Chrome and Firefox OGS uses TLS 1.2 on all connections, AES_128_GCM and ECDHE_ECDSA for most, which is for all practical purposes the least outdated and most secure there is. The only potential improvements are enabling HSTS and certificate pinning, maybe going P-521 and AES 256 (though the current P-256/AES 128 is already unbreakable) or using a quantum resistant key exchange scheme.

Could you go into the developer tools to check what cipher you’re getting? In Firefox, you should be able to find it in Network > (Click on a request) > Security.

Also, which version of OSX are you using?

OSX 10.9.5, Firefox 51.0.1 uptodate as of now.

Entered various site URLs:

https:// online-go.com, online-go.com/, w-ww.online-go.com, w-ww.online-go.com/ get:
Secure Connection Failed: The connection to online-go.com was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Cleared everything, start fresh. Open new window, clicked Tools, Web Developer, Network and then enter h-ttps://online-go.com

I see one line with a GET and grey padlock with red slash. That’s all. Nothing I can find anywhere about encryption. Where am I supposed to be looking for this?

There’s an ( i ) icon in the address field that gives page info. It says the Connection is not secure, This website does not supply ownership information, and Connection not encrypted, website dos not support encryption for the page.

For comparison I loaded h-ttps://www.dragongoserver.net

Compare the screenshots of the two Page Info windows info window:

When I load OGS, Console shows:
2/26/17 12:23:20.601 AM Console[15133]: Marker - Feb 26, 2017, 12:23:20 AM
2/26/17 12:23:30.388 AM com.avast.proxy[283]: SecTrustEvaluate(): online-go.com: 7
2/26/17 12:23:30.391 AM com.avast.proxy[283]: SSL_accept(): Broken pipe

When I load DGS, Console shows:
2/26/17 12:25:24.706 AM Console[15133]: Marker - Feb 26, 2017, 12:25:24 AM
----nothing logged—

I disabled Avast Online Security (Browser Security and Web Reputation Plugin) in Safari Preferences. Still get same message in Console when I load in Firefox. Uninstalled the Extension. I still get the same problem and still get the same Console log about com.avast.proxy. Maybe I need to relaunch Safari or restart. Quit. Activity Monitor shows com.avast.proxy in the process list under Root and inactive. Launch Safari and it springs to life. I have no idea what it does, maybe it’s part of the AV and not that extension.

Avast also delivered an update and there was a problem with it generating false positives; that has been fixed.

Possibilities: You understand something and provide more guidance. Cleaning out some stuff like caches, saved app. states and Restarting. Reinstall Avast.

In Firefox, if you click on the line that says GET, there should be a panel that pops up on the right, with a tab named security.

There is a setting in Avast called https scanning or something like that, try switching that misfeature off.

You might think that…

Ok. Try the response tab then.

I think that is about a different product, possibly a Windows or paid version. I have a free for Mac version. I can disable the Web Shield. If I do, then the page loads. Here’s what we get:

Now I’m re-enabling it!!

After re-enabling Web Shield I went through the hoops again. When the GET line is selected, there is nothing under the Response tab. Mostly there is nothing much to be seen period.

I decided to try Safari with the Web Shield disabled. Hypothesis being that it will work. It still doesn’t work. Here’s what comes up.

Yeah, I’ve had problems with that setting in free Windows version which was breaking my mail by trying to insert its own certificate between me and the server. I can’t say anything about Mac version, although it’s pretty obvious from your DGS shot that Avast is doing its Man-in-the-middle thing there as well.

I checked your screenshots again and it appears your version of Avast does support HTTPS scanning. Looking carefully at the second picture in post 3, under “Verified by”, shows that it’s signed by the Avast root certificate: Compare with when Web Shield is off.

According to the instructions here, you can turn off HTTPS scanning by going to Settings > Components > Web Shield / Customise > Main Settings > Uncheck “Enable HTTPS Scanning”.

It also appears your system doesn’t trust the OGS certificate. How to remedy that I’m not sure, but you might try adding the certificate to your trusted store.

I think the reason I get a problem with Safari and Firefox is that the Avast product will be installed in Safari, Firefox and Chrome. I don’t have Chrome. I don’t have problem with Vivaldi and Opera.

I purged all things Avast and reinstalled it. No change.

Please see Conditions at the bottom of the page you linked, you’re looking at a product for Windows. The download is avast_free_antivirus_setup_online_cnet2.exe. The product for Mac is obtained here https://www.avast.com/free-mac-security and coms as a .dmg.

Below is the preferences window for the Mac Web Shield. I can disable the whole thing or change one of those selections but that applies to everything so is not good security. I can enter an exception but that is like leaving the front door unlocked, might as well take the door off the hinges.

Later I could look at the DGS certificate, maybe that will reveal something.

That „Scan secured connections” thing looks to me exactly like https scanning. You can try either adding OGS to the exception list or disabling https scanning altogether. I’d recommend the latter. :slight_smile:

1 Like

Sorry, but I don’t get it. Why “disable https scanning altogether”? I’m not even sure what is getting scanned for what.

I wondered if there was some selection in the certificate that needed to be set differently. I don’t understand this. OSX Help provides

Because intercepting https traffic locally is not a good idea in general. While it is supposed to improve your security, it doesn’t work all that well in practice, breaking things in dangerous ways and introducing vulnerabilities where there were none.

1 Like

I am trying disabling the Scan Secure Connections.

Safari continues to inform me certificate is invalid. Allows me to Continue to the site. This is not an improvement. I get an empty window. With the Wb Inspector turned on, I had to click forward to advance through an initial pause. Then a red flag led me to the following errors which must be why Safari objects to the site/certificate. This was not happening before the recent OGS update so why are these errors happening now? The imrworldwide cookie still gets dropped (noted in Firefox screenshot). OGS cookie is named _cfduid.

[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “cdn.online-go.com” which could put your confidential information at risk. (ogs.5.0-460-g84469f9.js, line 0)
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “cdn.online-go.com” which could put your confidential information at risk. (en.166819b36059f267dd93fc6dec84c9ad.js, line 0)
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “cdn.online-go.com” which could put your confidential information at risk. (OGSScoreEstimator.5.0-460-g84469f9.js, line 0)
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “cdn.online-go.com” which could put your confidential information at risk. (ogs.5.0-460-g84469f9.css, line 0)

Firefox works. The Dev Tools reveals that one of the first things that happens is a spyware cookie gets dropped. (Spyware according to what I see when I look up imrworldwide). Can OGS get rid of that?