Updated to 43, can no longer "continue anyway" on bad certs

mtakala

mtakala

I spoke with an opera rep on Twitter and the response was essentially "Okay, well, we've decided to keep it this way." Very unfortunate.

Looks like that will be the final straw. Testing Vivaldi now.

shelluser

shelluser

Uhm, what kind of Opera version are you guys actually using? I'm using the latest Opera 43 (43.0.2442.806) and I have no issues with this. So I think either something changed (doubtful considering the short timespan) or you guys are talking a lot of nonsense up there:

Test case on local server

So yeah...

A Former User

Uhm, what kind of Opera version are you guys actually using? I'm using the latest Opera 43 (43.0.2442.806) and I have no issues with this. So I think either something changed (doubtful considering the short timespan) or you guys are talking a lot of nonsense up there:

So yeah...

In cases where the certificate has incorrect information, the popup shows as usual. In cases where the certificate has expired, the popup shows as usual. It's only when both those things are the case where, for some reason, the popup does not appear and you cannot proceed. Presumably it is to protect average users from malicious sites.
All I'd like is some sort of internal flag I can check to override this behaviour, but according to the support rep this behaviour is intentional and not going to change.

shelluser

shelluser

It's only when both those things are the case where, for some reason, the popup does not appear and you cannot
proceed. Presumably it is to protect average users from malicious sites.

Ah ok, that's not what your OP said

I can reproduce this issue, but also fail to see the problem with it. If you're testing then all you need to do is either install the certificate locally, ensure a long lifespan of your testing certificate, or simply set up and use a local CA (which is what I usually do).

I've often came across expired certificates but hardly any which are both invalid and expired. I really think the problem is hardly as big as you make it sound.

A Former User

It's not that the problem is big, it's that something which was previously up to the user is now decided by someone else.
They've taken away the choice completely, for no real apparent reason.
There are certainly tons of ways to work around it, but it speaks to a larger mentality at the company that users must be protected from themselves.

mtakala

mtakala

Yep, I could fix 2 of the 4 services I use daily by just generating new key - the previous had expired. As these are services that are being used both by local LAN IP and by a DNS name, I think the certificate can't ever be 100% correct for both use cases?

A Former User

As a followup, it's slightly amusing that the "concept" browser Opera Neon does the correct (previous) thing and lets the user continue anyway, while standard opera now does not. Almost makes a person wonder if this change was actually a bug rather than intentional.

Anyhow, Vivaldi behaves properly as well, so perhaps it's time to make the move over there. It seems to have stabilized quite a bit since release. Sad, because I've been an Opera fan since almost the beginning.

nabino21

nabino21

It's still same in the latest stable bulid 991. Not sure if they are gonna fix this in the future but in the meantime this is a workaround (use at your own risk!).

Add this at the end of the shortcut command line --ignore-certificate-errors

eg. "C:\Program Files\Opera\launcher.exe" --ignore-certificate-errors

Kinda defeat the purpose of supposedly increased security by not giving an option for the average user to decide that the site is safe to proceed. Now we gotta disable all certificate warnings just great!

A Former User

I agree, surely it's up to the user if they want to take the risk of proceeding with a potentially risky operation. That choice should not be taken away, Opera are completely covered if warnings were issued.
My Internet Security suite has a similar problem, it warns you about potentially dangerous web sites, but the latest version will not now allow you to go ahead anyway, which previous versions did.
If you know it's a false positive, you can no longer over-ride the warning unless you switch the whole Internet Security system off completely, which is madness!

davepmiddleton

davepmiddleton

That would be annoying, so I checked to see for myself. These are my findings.

Opera 43.0.2442.991 (64-bit) on Windows 10 still offers a dialog box for:

Incorrect,
Self-signed,
Expired certificates.

See these test links: https://onlinessl.netlock.hu/en/test-center/invalid-ssl-certificate.html.

However, for hash functions that are no longer considered safe e.g. expired SHA-1 certificates, Opera 43 no longer offers you an option to continue. See this test link: https://expired.identrustssl.com

Hope this helps.

zalex108

zalex108

A way to force websites to update their certificates? :sherlock:

"You cannot know the meaning of your life until you are connected to the power that created you". · Shri Mataji Nirmala Devi

A Former User

That would be annoying, so I checked to see for myself. These are my findings.
Opera 43.0.2442.991 (64-bit) on Windows 10 still offers a dialog box for:

Incorrect,
Self-signed,
Expired certificates.

See these test links: https://onlinessl.netlock.hu/en/test-center/invalid-ssl-certificate.html.
However, for hash functions that are no longer considered safe e.g. expired SHA-1 certificates, Opera 43 no longer offers you an option to continue. See this test link: https://expired.identrustssl.com
Hope this helps.

I hadn't bothered working out the exact problem causing it, thanks.
In the end, they're gonna make the decisions they feel work best for the majority of people.
I'll live.

talu1966

talu1966

After updating from 39 to 43 in Ubuntu 12.04 I now get the privacy complaint even from google.com and auth.opera.com ! Is my system compromised, or has anyone seen this problem under Linux ?

leocg

leocg Moderator Volunteer

or has anyone seen this problem under Linux ?

This is the 'Opera for Windows' forum, please use the 'Opera for *nix' to dicuss about Opera for Linux.

gerardtromp

gerardtromp

Desperately looking for an override function to "Your connection is not private". I don't care and I know the risks. The current step of preventing an override is making it safe for fools at the cost of utility. One cannot prevent fools from being fools.

A Former User

Have you tried using the "--ignore-certificate-errors" switch as mentioned previously?