SSL Error: smth wrong with Certificate Transparency policy

greenriverrus

greenriverrus last edited by

Today I found out that Opera no longer lets me to access mail.ru. However, in other browsers on my OS all works fine, so certificate is ok.
"The server presented a certificate that was not publicly disclosed using the Certificate Transparency policy."
But according to Certificate Transparency report (https://www.google.com/transparencyreport/https/ct/) for this site - it's cert is listed, so it should be trusted by opera, but it doesn't.
What could be the problem?

goginan

goginan last edited by

I'm having the same issue with yahoo login https://login.yahoo.com. I can login using Firefox or Chrome but Opera generates the message "The server presented a certificate that was not publicly disclosed using the Certificate Transparency policy." and only lets me "Return to Safety". As above the the certificate for login.yahoo.com is listed

A Former User

A Former User last edited by

It does the same thing when I try to go to the Amazon website. A bug maybe?

quaternium

quaternium last edited by

My only guess is that this has something to do with Opera's VPN feature, as I've been using the VPN when this notification was received. This is of concern to say the least, as it brings to mind SSL man-in-the-middle exploits.

quaternium

quaternium last edited by

My only guess is that this has something to do with Opera's VPN feature, as I've been using the VPN when this notification was received. This is of concern to say the least, as it brings to mind SSL man-in-the-middle exploits.

MY NEXT GUESS: This appears to be an issue with HSTS (HTTP Strict Transport Security).
From Wikipedia: "TTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol."

It also seems that some users may tweak Opera settings regarding HSTS by going to opera://net-internals/#hsts I suppose by adding some sort of exception as per: http://classically.me/blogs/how-clear-hsts-settings-major-browsers BUT...

I get forwarded to a web search when I try to go to that blog post about clearing HSTS for specific domains, so perhaps it is a bug or only perhaps the customization page is available in other Opera versions, like the one for Windows? EDIT: Now all of a sudden the link chrome://net-internals/#hsts IS working for me

Considering that the blog post was written in Feb 2014, it's strange that the issue would just be seen now, so I'm leaning towards bug.

quaternium

quaternium last edited by

And... here's a list of sites that hardcoded to use HSTS. Theoretically, all these sites should give the problem and not pull up. mail.ru and amazon.com are included