Server Certificates (Invalid, Revoked, Untrusted)

LosInvalidos
LosInvalidos
Community Member
edited May 2011 in 1Password 3 – 7 for Mac
Chrome issue unrelated to 1Password
Hi Folks,

I don't know what's going wrong with this page. When I try to log into www.tagesschau.de with 1P and Firefox everything is fine. When I try the same using chromium I get some strange results.

Comments

  • khad
    khad
    1Password Alumni
    edited May 2011
    An invalid server certificate is unrelated to 1Password. Chrome handles these differently than other browsers.

    I would love to take a look at the login form and see if there is anything 1Password is doing incorrectly, though. Unfortunately, I was unable to find a login form anywhere on http://www.tagesschau.de/

    Could you please help me find the login form?

    Thanks!

    UPDATE: Using the URL in your screenshot, I was able to find a login form at http://meta.tagesschau.de/ Could that be where you are trying to log in? If so, 1Password seems to be saving and filling the form properly. However, I was presented with a certificate warning:

    The site's security certificate is not trusted!

    You attempted to reach meta.tagesschau.de, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.


    20110601-cx6pqau7yx95mym46k42kwjydu.png

    Clicking the "Help me understand" link provides more detail:

    When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

    In this case, the certificate has not been verified by a third party that your computer trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with meta.tagesschau.de instead of an attacker who generated his own certificate claiming to be meta.tagesschau.de. You should not proceed past this point.

    If, however, you work in an organization that generates its own certificates, and you are trying to connect to an internal website of that organization using such a certificate, you may be able to solve this problem securely. You can import your organization's root certificate as a "root certificate", and then certificates issued or verified by your organization will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organization's help staff for assistance in adding a new root certificate to your computer.


    Clicking "Proceed Anyway" should log you in just fine. However, the screen shot you posted does not appear to include such a button. I cannot begin to speculate why that would be. Perhaps it is a "security feature" in the particular build you are using or related to this bug. Unfortunately, it is not related to 1Password, so there isn't much we can do about it. :-(

    I'm sorry I don't have a better answer.
  • khad
    khad
    1Password Alumni
    Aaaaand one more update: for some reason you are seeing an "invalid certificate" error while I am only receiving the less severe "untrusted certificate" error. "Invalid" and "revoked" certificates are blocked in Chrome as far as I know. There is no "Proceed Anyway" button in that case. I am not sure why there is a discrepancy between your experience and my own other than we are using two different URLs. (I was only guessing at the one you were using.)
  • LosInvalidos
    LosInvalidos
    Community Member
    Damn. Sounds like this won't get solved. Surely Chromium related. Just wonder why Firefox has no issues. Different handling of certificates I guess. And why do websites use certificates instead of "normal" log-ins? Also I have no idea how our browser differ. I'm using the latest chromium nightly.

    Hm. I subscribed to the chromium issue and added my input. Let's see how this develops.

  • Damn. Sounds like this won't get solved. Surely Chromium related. Just wonder why Firefox has no issues. Different handling of certificates I guess. And why do websites use certificates instead of "normal" log-ins? Also I have no idea how our browser differ. I'm using the latest chromium nightly.

    Hm. I subscribed to the chromium issue and added my input. Let's see how this develops.


    Certificates are what encrypt the exchange between your computer and the web server. They are ubiquitous and critical for that reason. If a certificate is invalid it could (but doesn't necessarily) indicate a phishing or other attack. If a website were to ask you to login but they didn't have a certificate, all of your information would be sent in clear text. Anyone sitting between them and you could read all of the information sent and received, including passwords.

    You can read more about certificates and SSL here:
    http://en.wikipedia.org/wiki/Secure_Sockets_Layer
  • LosInvalidos
    LosInvalidos
    Community Member
    edited July 2011
    Hi all,

    I'm replying to this topic because it's the http://meta.tagesschau.de site that's still causing trouble.

    What I can do
    * go to http://meta.tagesschau.de/
    * copy & paste my log-in credentials
    * hit "Anmelden"
    * all is great

    Site is showing that I'm not ussing https though (see above in this thread, I guess? and also see screenshot.

    What I can't do
    * go to http://meta.tagesschau.de/
    * hit my 1P shortcut
    * then the log-in gets filled (not transmitted, I disabled auto-log-in for this, to better see at which point what fails)
    * log-in looks ok and I manually hit "Anmelden"
    * FAIL: log-in fails. I am NOT logged into the site. But presented with the following message:

    Chrome issues
    The issue khad posted a link to ( http://code.google.com/p/chromium/issues/detail?id=41890 ) has been marked duplicate of the following issue: http://code.google.com/p/chromium/issues/detail?id=41730

    And the latter one has been fixed. So maybe that's why now I can log-in? And maybe 1Password can be fixed to work with this as well?

    regards
  • LosInvalidos
    LosInvalidos
    Community Member
    brenty wrote:

    1. Enter your username and password, but DO NOT submit the form.
    2. Click the 1Password button in your browser's toolbar, and click Save New Login.
    3. Choose a name for the Login item.
    4. Click the Save button.

    Please let me know if this helps. :)


    Does not work as advised using latest Chromium. If I click the 1P Button I indeed see the option to "Save new Login", but when I click that, the window disappears and nothing happens no further questions about if I want to replace an existing login ect. and nothing is saved.
  • LosInvalidos
    LosInvalidos
    Community Member
    edited July 2011
    brenty wrote:

    Hello again!

    Unfortunately, that is the best we can do, since we can't support beta or dev channels -- they are simply too volatile. If it is just not cooperating, I suggest you stick with the stable channel. Eventually they will get the kinks ironed out and the shiny new stuff will stabilize. :)

    Give me a couple of minutes, I'll try the stable... What I described still applies. Now what? I can't save that as a new login from within chromium.

    Should Chromium 12.0.742.100 work? It's obviously a general bug or what? The behavior with stable and latest is identical in this case.
  • LosInvalidos
    LosInvalidos
    Community Member
    brenty wrote:

    Hmm I am not sure what is going on here. 12.0.742.112 here, but that should not matter. It is probably updating in the background as we speak.

    Please check the version number of the 1Password extension under Window > Extensions. Mine is [font=Helvetica, sans-serif]3.6.3.30953, which is, I believe, the version included in the 3.6.1 release of 1Password. What versions of OS X and 1Password are you using? It may help if you reinstall the extension itself.[/font]

    1P 3.6.1
    Chromium 12.0.742.100 (88853)
    Extension: 1Password Beta - Version: 3.6.4.30955
    now I reinstalled the extension and have 1Password - Version: 3.6.3.30953

    But the behavior has not changed.

    So it's working for you? Not good.
  • LosInvalidos
    LosInvalidos
    Community Member
    edited July 2011
    I don't think that will help. Since if you see above I already *did* reinstall the chrome extension. I'm still on SL. I can do a restart although I doubt that that's the problem, will do anyway.

    Well could you setup an account for test purposes? Since those red things are what I see when I login using 1P. And that's the initial problem leading to this discussion, right?


    Let me restart and give it another shot. I might even try setting up a new account, but how do I do that, if I can't save a login?
  • LosInvalidos
    LosInvalidos
    Community Member
    WOOT: Good news. A restart indeed did help. Which is great, because now I can further test, if the login works as well and bad, because I feel like I'm back to windows. Restarts on mac seem to become necessary more and more often.

    YES! Problem solved. Hm, I'm tempted, to go back to latest and see if I can now login properly. Might report back for that.

    Other than that: THANK YOU for your help. And I'm very happy it's now working. If you look at the date of the first post: this site has been nagging me for quite a while.
This discussion has been closed.