Server Certificates (Invalid, Revoked, Untrusted)

LosInvalidosLosInvalidos Junior Member
edited May 2011 in 1Password 3 – 6 for Mac
Chrome issue unrelated to 1Password
Hi Folks,

I don't know what's going wrong with this page. When I try to log into www.tagesschau.de with 1P and Firefox everything is fine. When I try the same using chromium I get some strange results.

Comments

  • khadkhad Social Choreographer

    Team Member
    edited May 2011
    An invalid server certificate is unrelated to 1Password. Chrome handles these differently than other browsers.

    I would love to take a look at the login form and see if there is anything 1Password is doing incorrectly, though. Unfortunately, I was unable to find a login form anywhere on http://www.tagesschau.de/

    Could you please help me find the login form?

    Thanks!

    UPDATE: Using the URL in your screenshot, I was able to find a login form at http://meta.tagesschau.de/ Could that be where you are trying to log in? If so, 1Password seems to be saving and filling the form properly. However, I was presented with a certificate warning:

    The site's security certificate is not trusted!

    You attempted to reach meta.tagesschau.de, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.


    20110601-cx6pqau7yx95mym46k42kwjydu.png

    Clicking the "Help me understand" link provides more detail:

    When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

    In this case, the certificate has not been verified by a third party that your computer trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with meta.tagesschau.de instead of an attacker who generated his own certificate claiming to be meta.tagesschau.de. You should not proceed past this point.

    If, however, you work in an organization that generates its own certificates, and you are trying to connect to an internal website of that organization using such a certificate, you may be able to solve this problem securely. You can import your organization's root certificate as a "root certificate", and then certificates issued or verified by your organization will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organization's help staff for assistance in adding a new root certificate to your computer.


    Clicking "Proceed Anyway" should log you in just fine. However, the screen shot you posted does not appear to include such a button. I cannot begin to speculate why that would be. Perhaps it is a "security feature" in the particular build you are using or related to this bug. Unfortunately, it is not related to 1Password, so there isn't much we can do about it. :-(

    I'm sorry I don't have a better answer.
  • khadkhad Social Choreographer

    Team Member
    Aaaaand one more update: for some reason you are seeing an "invalid certificate" error while I am only receiving the less severe "untrusted certificate" error. "Invalid" and "revoked" certificates are blocked in Chrome as far as I know. There is no "Proceed Anyway" button in that case. I am not sure why there is a discrepancy between your experience and my own other than we are using two different URLs. (I was only guessing at the one you were using.)
  • LosInvalidosLosInvalidos Junior Member
    Damn. Sounds like this won't get solved. Surely Chromium related. Just wonder why Firefox has no issues. Different handling of certificates I guess. And why do websites use certificates instead of "normal" log-ins? Also I have no idea how our browser differ. I'm using the latest chromium nightly.

    Hm. I subscribed to the chromium issue and added my input. Let's see how this develops.
  • BenBen AWS Team

    Team Member

    Damn. Sounds like this won't get solved. Surely Chromium related. Just wonder why Firefox has no issues. Different handling of certificates I guess. And why do websites use certificates instead of "normal" log-ins? Also I have no idea how our browser differ. I'm using the latest chromium nightly.

    Hm. I subscribed to the chromium issue and added my input. Let's see how this develops.


    Certificates are what encrypt the exchange between your computer and the web server. They are ubiquitous and critical for that reason. If a certificate is invalid it could (but doesn't necessarily) indicate a phishing or other attack. If a website were to ask you to login but they didn't have a certificate, all of your information would be sent in clear text. Anyone sitting between them and you could read all of the information sent and received, including passwords.

    You can read more about certificates and SSL here:
    http://en.wikipedia.org/wiki/Secure_Sockets_Layer
  • LosInvalidosLosInvalidos Junior Member
    edited July 2011
    Hi all,

    I'm replying to this topic because it's the http://meta.tagesschau.de site that's still causing trouble.

    What I can do
    * go to http://meta.tagesschau.de/
    * copy & paste my log-in credentials
    * hit "Anmelden"
    * all is great

    Site is showing that I'm not ussing https though (see above in this thread, I guess? and also see screenshot.

    What I can't do
    * go to http://meta.tagesschau.de/
    * hit my 1P shortcut
    * then the log-in gets filled (not transmitted, I disabled auto-log-in for this, to better see at which point what fails)
    * log-in looks ok and I manually hit "Anmelden"
    * FAIL: log-in fails. I am NOT logged into the site. But presented with the following message:

    Chrome issues
    The issue khad posted a link to ( http://code.google.com/p/chromium/issues/detail?id=41890 ) has been marked duplicate of the following issue: http://code.google.com/p/chromium/issues/detail?id=41730

    And the latter one has been fixed. So maybe that's why now I can log-in? And maybe 1Password can be fixed to work with this as well?

    regards
  • brentybrenty

    Team Member
    edited July 2011
    Hey there, LosInvalidos!

    Thanks for the update. This is a problem that all of us will likely face at one time or another, regardless of OS or browser -- or 1Password. It is usually a matter of the certificate being for a specific domain while you are accessing another. If this is not a site you trust, that can be a bad thing. Otherwise, it is simply a matter of using a URL for the proper domain so that Chrome doesn't complain about the certificate not matching every time you have 1Password send you there. Try resaving the login manually:


    1. Enter your username and password, but DO NOT submit the form.
    2. Click the 1Password button in your browser's toolbar, and click Save New Login.
    3. Choose a name for the Login item.
    4. Click the Save button.

    Please let me know if this helps. :)

  • LosInvalidosLosInvalidos Junior Member
    brenty wrote:

    1. Enter your username and password, but DO NOT submit the form.
    2. Click the 1Password button in your browser's toolbar, and click Save New Login.
    3. Choose a name for the Login item.
    4. Click the Save button.

    Please let me know if this helps. :)


    Does not work as advised using latest Chromium. If I click the 1P Button I indeed see the option to "Save new Login", but when I click that, the window disappears and nothing happens no further questions about if I want to replace an existing login ect. and nothing is saved.
  • brentybrenty

    Team Member
    Hello again!

    Unfortunately, that is the best we can do, since we can't support beta or dev channels -- they are simply too volatile. If it is just not cooperating, I suggest you stick with the stable channel. Eventually they will get the kinks ironed out and the shiny new stuff will stabilize. :)

    Does not work as advised using latest Chromium. If I click the 1P Button I indeed see the option to "Save new Login", but when I click that, the window disappears and nothing happens no further questions about if I want to replace an existing login ect. and nothing is saved.
  • LosInvalidosLosInvalidos Junior Member
    edited July 2011
    brenty wrote:

    Hello again!

    Unfortunately, that is the best we can do, since we can't support beta or dev channels -- they are simply too volatile. If it is just not cooperating, I suggest you stick with the stable channel. Eventually they will get the kinks ironed out and the shiny new stuff will stabilize. :)

    Give me a couple of minutes, I'll try the stable... What I described still applies. Now what? I can't save that as a new login from within chromium.

    Should Chromium 12.0.742.100 work? It's obviously a general bug or what? The behavior with stable and latest is identical in this case.
  • brentybrenty

    Team Member
    Hmm I am not sure what is going on here. 12.0.742.112 here, but that should not matter. It is probably updating in the background as we speak.

    Please check the version number of the 1Password extension under Window > Extensions. Mine is [font=Helvetica, sans-serif]3.6.3.30953, which is, I believe, the version included in the 3.6.1 release of 1Password. What versions of OS X and 1Password are you using? It may help if you reinstall the extension itself.[/font]

    Give me a couple of minutes, I'll try the stable... What I described still applies. Now what? I can't save that as a new login from within chromium.

    Should Chromium 12.0.742.100 work?
  • LosInvalidosLosInvalidos Junior Member
    brenty wrote:

    Hmm I am not sure what is going on here. 12.0.742.112 here, but that should not matter. It is probably updating in the background as we speak.

    Please check the version number of the 1Password extension under Window > Extensions. Mine is [font=Helvetica, sans-serif]3.6.3.30953, which is, I believe, the version included in the 3.6.1 release of 1Password. What versions of OS X and 1Password are you using? It may help if you reinstall the extension itself.[/font]

    1P 3.6.1
    Chromium 12.0.742.100 (88853)
    Extension: 1Password Beta - Version: 3.6.4.30955
    now I reinstalled the extension and have 1Password - Version: 3.6.3.30953

    But the behavior has not changed.

    So it's working for you? Not good.
  • brentybrenty

    Team Member
    :(

    Just to be clear, I am entering fake login details on http://meta.tagesschau.de/, saving Login items, and then using 1Password in Chrome to fill them:

    meta.tagesschau.de-20110712-035650.jpg

    Are you using Snow Leopard or Lion? I am still on Snow Leopard myself. Please try the following:


    1. Remove the current 1Password extension from Chrome (Window > Extensions > 1Password > Uninstall)
    2. Reinstall the extension in 1Password (Preferences > Browsers -- click "Continue" and "Install" when prompted)
    3. To be on the safe side, restart your Mac.

    I hope that helps. Please let me know! :)




    1P 3.6.1
    Chromium 12.0.742.100 (88853)
    Extension: 1Password Beta - Version: 3.6.4.30955
    now I reinstalled the extension and have 1Password - Version: 3.6.3.30953

    But the behavior has not changed.

    So it's working for you? Not good.



  • LosInvalidosLosInvalidos Junior Member
    edited July 2011
    I don't think that will help. Since if you see above I already *did* reinstall the chrome extension. I'm still on SL. I can do a restart although I doubt that that's the problem, will do anyway.

    Well could you setup an account for test purposes? Since those red things are what I see when I login using 1P. And that's the initial problem leading to this discussion, right?


    Let me restart and give it another shot. I might even try setting up a new account, but how do I do that, if I can't save a login?
  • brentybrenty

    Team Member
    I don't think that will help. Since if you see above I already *did* reinstall the chrome extension. I'm still on SL. I can do a restart although I doubt that that's the problem, will do anyway.

    Well could you setup an account for test purposes? Since those red things are what I see when I login using 1P. And that's the initial problem leading to this discussion, right?

    Let me restart and give it another shot. I might even try setting up a new account, but how do I do that, if I can't save a login?


    Ah! I am so sorry! I misunderstood, as I thought you said you were unable to save a login at all to create a new one, and that the original was not filling properly. Give me a minute and I will look into this further. :)

    P.S: In some cases we have seen that the 1PasswordAgent is not properly communicating with the extension after updating, which is why I suggested a restart as well. This has worked in cases where the extension reinstall alone did not work.
  • LosInvalidosLosInvalidos Junior Member
    WOOT: Good news. A restart indeed did help. Which is great, because now I can further test, if the login works as well and bad, because I feel like I'm back to windows. Restarts on mac seem to become necessary more and more often.

    YES! Problem solved. Hm, I'm tempted, to go back to latest and see if I can now login properly. Might report back for that.

    Other than that: THANK YOU for your help. And I'm very happy it's now working. If you look at the date of the first post: this site has been nagging me for quite a while.
  • brentybrenty

    Team Member
    edited July 2011

    WOOT: Good news. A restart indeed did help. Which is great, because now I can further test, if the login works as well and bad, because I feel like I'm back to windows. Restarts on mac seem to become necessary more and more often.

    YES! Problem solved. Hm, I'm tempted, to go back to latest and see if I can now login properly. Might report back for that.

    Other than that: THANK YOU for your help. And I'm very happy it's now working. If you look at the date of the first post: this site has been nagging me for quite a while.


    Oh thank goodness! For some reason they won't send me an email when I try to create an account, so I was running out of ideas. :P

    I am glad it is working for you now, and if you want to give Chromium another shot, at least you know how to get it working again if you have trouble. laugh.gif

    I was getting a login error that verified that my fake credentials are no good ("Der Benutzername oder das Passwort wurden nicht akzeptiert. Haben Sie Ihr Passwort vergessen?"), so I suspected that there was something else going wrong for you. If you need anything else, just give us a holler. You are totally welcome, and I am overjoyed that your story has a happy ending after all! :)
This discussion has been closed.