[BBLISA] solution to web sites with incomplete SSL cert chains
Edward Ned Harvey (bblisa4)
bblisa4 at nedharvey.com
Fri Sep 18 12:43:18 EDT 2015
> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Bill Bogstad
>
> At the most recent BBLISA meeting, there a brief discussion of
> SSL/certs. Unfortunately, I never asked about an issue that I had
> recently with Firefox and certs. It seems that
> Firefox is not happy with this site:
>
> https://help.target.com/
>
> when I check it with one of the on-line SSL checking sites, it seems
> that Target isn't providing a complete chain back to a root CA. Any
> idea how one goes about getting a web site to fix problems like this?
> I tried reporting it using a different browser and I got the typical
> "reboot your computer, reinstall, etc. etc." response.
Most likely, the problem is, it works for them and not for you.
Here's why:
Whenever you browse (in any browser) to https://foo, and it sends the cert chain down to you, your browser or OS keystore CACHES the chain for some f***ing reason. This is infuriating. It is guerrilla tactics, where one thing covers up for some other thing's shortcoming. Now you browse to https://bar which has a broken chain, BUT IT WORKS because your browser is able to construct the chain using cached certs.
I don't know where to see it in firefox, but in IE you go to Internet Options/Content/Certificates/Intermediate. The default state, pristine from the factory, is an empty list. The more you use your computer, the more stuff appears in that list. It is safe to delete the intermediates, and necessary to diagnose this type of problem.
Or just use SSLLabs. God love 'em.
More information about the bblisa
mailing list