Speaking perhaps like a business analyst, a primer off the top of my head:
Different browser distributions will have different SSL certificates preinstalled on them. Each certificate is part of a tree or chain of certificates.
Warnings occur when a certificateâs âancestryâ is incompatible.
Here Iâve been out of the loop somewhat on that free SSL service and the WikiLeaks revelations and updates to best-practice encryption algorithms so perhaps a user like @Ataraxia_Now with that bright red fedora as profile picture might be able to comment?
It is known there are some browsers that will not work with cloudflare because they have outdated certificates. Unfortunately other than not using cloudflare and instead using widely supported certificate (which may mean using outdated encryption) thereâs not too much which can be done. An example I know of is Android 2.x browsers - actually it is probably more a matter of operating system than browser.
Another known offender is antivirus software which likes to insert itself as man in the middle of SSL connections so it can check for dodgy content. If the antivirus does not have the proper certificates it produces that same error.
Thanks Blake. @mikenz66, if people are still reporting issues, could you ask them to report directly to us? Thereâs not much we can do without knowing the details.
In this case itâs probably caused by an OS which hasnât been updated for a while, browsers usually rely on the OS for TLS so changing browser doesnât change anything. Antiviruses are more invasive and so can embed themselves deeper in the OS and hijack the TLS. In fact the error on the dhammawheel first post looks a lot like this:
The client and server donât support a common SSL protocol or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
My conjecture would be that an antivrus has inserted itself into TLS and wants an RC4 connection, the browser says âno way thatâs insecureâ, because the browser is talking to the antivirus it thinks the antivirus is the server. The browser refuses to communicate further. Itâs also possible that itâs not an antivirus but another kind of man the middle âdefenderâ, such as a SSL snooping firewall as is sometimes found in corporations, schools and some ISPs. A (modern) browser is perfectly able to detect this subterfuge and if the connection is not allowed to be âdowngradedâ (forcing a less secure connection is the usual strategy employed by these firewalls) then the connection attempt will be aborted because it cannot provide the promised security level (that is, that no-one along the way can snoop on the traffic).
Yeah, an old operating system and updates disabled would be a good recipe. A while ago I discovered the issue on an old android phone. I was like âoh well, thatâs the steamroller of obsolescence for youâ, that particular device was too primitive to be updated to a newer OS and Google eventually stops supporting older software as a matter of policy. Windows 7 should be fine though older versions of XP can have problems with modern encryption.
Actually itâs likely to be an issue with cloudflare hosted sites in general, since the connection goes to Cloudflare (from the browserâs perspective, the connection ends at a Cloudflare server, itâs irrelevant that behind Cloudflare the two subdomains are hosted at different servers). Users of low-cost Cloudflare plans get shared certificates, business users can use their own certificate and can also get Cloudflare to support old devices (with compromised security), so itâs not the case that all sites served via Cloudflare will have the same certificate issues, just those on the free/pro plans.
It should be noted that itâs not just a thing with Cloudflare: If you use Lets Encrypt youâd run into much the same issue. A certificate provider which only supports modern encryption will not support old devices/OSâs.
To be clear of course, ROM most probably wouldnât be flashable without wired connection.
Would you concur?
I say because a premise like that would be a perfectly reasonable avenue of attack if one were to have say a BILLION dollars and a bunch of dumb ideas would it not?
If my memory is right (itâs been 25+yrs) if CMOS was getting stuck,youâd remove the battery and wait to drain out. That would reset it. But to flush it, hmmm, it has to have a connection of some sorts to the new software. Early chips (industrial, non PC) would have an optic opening so you can send/blow the new code that way. Latter days, on PC, it was done directly from HD, the portion that it can see, or was it floppy? But it would have to be thruâ a proprietary driver. How itâs done today, I do not know. It wouldnât surprise me if they force you to buy a new one, preloaded with a new code. Silicon is cheap.
On macOS, using Firefox, my SSL âpadlockâ shows a warning that not all parts of the page are secure via the SSL certificate. This is usually because of objects that are being pulled in from somewhere other than the server that has the certificate, like images. However:
On Windows 10, using Firefox, SSL is fine. On Vivaldi, SSL is connected for the main Discuss and Discover page, but breaks as soon as I click into a discussion thread. On macOS using Safari, the connection stays secure. I can check various browsers on Linux later today if anyone would like a report on that.
I suspect that importing the siteâs certificate into the browser or OS (depending on which is handling it) would solve the problem for everyone. Iâve done that successfully with self-signed certificates at work.