RE: self-signed SSL seen as "unprotected" or "insecure"

At this point it is messing with my connection when I don't want it to. Who promoted it to be the safekeeper of all my internet? If I had the sources and the compilation environment, I would turn it off. This site is my own site and it is my own certificate. It is just plain intrusive and patronizing that it decides to know better than me, when it is my computer and I am free to do with it as I like.

Next you know you get browsers that won't connect to porn sites because it's immoral.

Or Opera that won't let you visit Mozilla.org because it's competition.

Get rid of that madness.

When you get the certificate error it hardly provides any information until you clock on the globe, then it says the connection is "Not protected" and then just says that the certificate is not trusted. The whole idea of trusted certificates is madness anyway because it says the government is to be trusted, when it's not. But regardless, this is my connection and I am to do with it what I want. I value freedom, and power, and apparently Opera doesn't want users to have that.

All the while I know for a fact that the certificate is my own (let's say I am 99.9999999999999999999999999999999999999999999999% certain) but here is another problem.

I just generated another certificate using a common method on Debian OS, that is recommended everywhere. Or at least reported. The certificate is imported into Opera as a root certificate and Squid uses it to generate fake certificates based on websites that have real ones. Squid is capable of checking the trustworthiness if I want to; I am just delegating some task to Opera in the sense that it has to 'trust' my fake certificate and my self-signed root certificate provider for that fake certificate.

However, it fails because it says the certificate (that it is presented in the end) is invalid.

I have no clue as to why it would be invalid. The Squid version is a bit older (3.4) but Firefox accepts the certificate no problems. The version I have installed on Windows (a slight tad older) also accepts it. I am now speaking of a Linux client (version 31.0.1889.174) and this version won't accept the certificate, but I can't be sure becaus the version of Squid I have on Windows is 3.5.

But the main problem is that Opera doesn't even present you a choice (in case of the untrusted certificate). It just cancels the connection. Period. It does not allow you to add an exception, as if its opinion on your computer is more important than your own.

It does not allow you to download the certificate and install it on your own. It doesn't allow anything. It is just plain obnoxious and plain intrusive.

It's like an intruder on my computer, and then it presents safety????.

If you intrude on someone's life, you cannot go and claim to be a protector. You meddle with someone's life in order to prevent another from meddling with his/her life? Doesn't that make you the crook?.

It's hypocrisy, that's what it is.

All the while Opera doesn't display the name of the signer in the address bar like some browsers do.

That means that If I have a "valid" (verisign, whatever) signed certificate, and my site impersonates another site, Opera will accept it without cause or complaint and tell me my connection is secure.

There are always or there have been exploits to fake the url in someone's browser, and there may be a DNS spoofing attempt (such as when using a public hotspot). Any hacker giving me free wifi can present me a fake website that looks just like the real one and Opera will not give any problems.

Actually normally that only happens when you get redirected to a different domain. The domain has to match the certificate. Regardless. It is generally providing as sense of false safety.

It is also providing and promoting a sense of false insecurity, and people are habitually trained to feel insecure. A general computer user -- because of the lack of knowledge, and information presented, regardless -- cannot interpret the certificate error message.

Many users run into certificate errors plainly because (due to some reason) their computer clock is set wrong. "You may not continue" then spells disaster, and their computer is working against them instead of for them.

The same crap happens with Java recently. Using Java in webapplications/applets has become virtually and practically impossible. Not that it was ever a nice technology, but some sites still use it and I cannot use them anymore.

Browsers f up too much.

I just wish there was a --no-check-certificate option like in wget.

The browser's role is to inform, not to enforce. And informing it does very badly. If it did, it would say something like:

"Opera cannot verify the source of your connection. That means the certificate was not signed by a trusted authority. The certificate is self-signed, and presented as follows:

<information>

If this is a high-profile website, you can be certain that the certificate would ordinarily be signed by a trusted-authority, and you should not continue. However, many people use self-signed certificates for their own purposes, because even though the end-point can not be verified against a real attacker, the connection is still encrypted and protected against general eaves-dropping."

So you are plain wrong that the certificate is garbage. It provides a function, namely making it extremely hard for general observers such as ISPs and governmental agencies, or even !!! tor endpoints from reading your plain-text data.

Anyone wanting to perform data mining on these connections would have to generate on-the-fly fake certificates for every certificate that comes along prompting the security warning for every single site visited; a sure sign that something is amiss. This is not a form of data mining that can take place in reality as it stands.

Man in the middle attacks are extremely rare. They require a hacker being in the position to hijack your connection; ordinarily this only happens with wifi access, because it is so inherently insecure. It can be done by a proxy server; it can be done by an ISP, it can be done by agencies or agents that have access to important routers. It can be done if your DNS is getting spoofed. On the other hand, connection monitoring is extremely common.

When you connect to an unkown host via SSH, it will say "You're connecting to a new host we don't know, are you sure you want to continue?" And when you say yes, it will add the server's public key to your store of authorized_hosts. Actually the file on Linux is called known_hosts. Then, should the host change, you would get another warning, which would indicate that something is amiss. It would be completely self-defeating if every ssh client would start issueing unverifiable certificate errors.

At this point it is messing with my connection when I don't want it to. Who promoted it to be the safekeeper of all my internet? If I had the sources and the compilation environment, I would turn it off. This site is my own site and it is my own certificate. It is just plain intrusive and patronizing that it decides to know better than me, when it is my computer and I am free to do with it as I like.

Next you know you get browsers that won't connect to porn sites because it's immoral.

Or Opera that won't let you visit Mozilla.org because it's competition.

Get rid of that madness.

When you get the certificate error it hardly provides any information until you clock on the globe, then it says the connection is "Not protected" and then just says that the certificate is not trusted. The whole idea of trusted certificates is madness anyway because it says the government is to be trusted, when it's not. But regardless, this is my connection and I am to do with it what I want. I value freedom, and power, and apparently Opera doesn't want users to have that.

All the while I know for a fact that the certificate is my own (let's say I am 99.9999999999999999999999999999999999999999999999% certain) but here is another problem.

I just generated another certificate using a common method on Debian OS, that is recommended everywhere. Or at least reported. The certificate is imported into Opera as a root certificate and Squid uses it to generate fake certificates based on websites that have real ones. Squid is capable of checking the trustworthiness if I want to; I am just delegating some task to Opera in the sense that it has to 'trust' my fake certificate and my self-signed root certificate provider for that fake certificate.

However, it fails because it says the certificate (that it is presented in the end) is invalid.

I have no clue as to why it would be invalid. The Squid version is a bit older (3.4) but Firefox accepts the certificate no problems. The version I have installed on Windows (a slight tad older) also accepts it. I am now speaking of a Linux client (version 31.0.1889.174) and this version won't accept the certificate, but I can't be sure becaus the version of Squid I have on Windows is 3.5.

But the main problem is that Opera doesn't even present you a choice (in case of the untrusted certificate). It just cancels the connection. Period. It does not allow you to add an exception, as if its opinion on your computer is more important than your own.

It does not allow you to download the certificate and install it on your own. It doesn't allow anything. It is just plain obnoxious and plain intrusive.

It's like an intruder on my computer, and then it presents safety????.

If you intrude on someone's life, you cannot go and claim to be a protector. You meddle with someone's life in order to prevent another from meddling with his/her life? Doesn't that make you the crook?.

It's hypocrisy, that's what it is.

All the while Opera doesn't display the name of the signer in the address bar like some browsers do.

That means that If I have a "valid" (verisign, whatever) signed certificate, and my site impersonates another site, Opera will accept it without cause or complaint and tell me my connection is secure.

There are always or there have been exploits to fake the url in someone's browser, and there may be a DNS spoofing attempt (such as when using a public hotspot). Any hacker giving me free wifi can present me a fake website that looks just like the real one and Opera will not give any problems.

Actually normally that only happens when you get redirected to a different domain. The domain has to match the certificate. Regardless. It is generally providing as sense of false safety.

It is also providing and promoting a sense of false insecurity, and people are habitually trained to feel insecure. A general computer user -- because of the lack of knowledge, and information presented, regardless -- cannot interpret the certificate error message.

Many users run into certificate errors plainly because (due to some reason) their computer clock is set wrong. "You may not continue" then spells disaster, and their computer is working against them instead of for them.

The same crap happens with Java recently. Using Java in webapplications/applets has become virtually and practically impossible. Not that it was ever a nice technology, but some sites still use it and I cannot use them anymore.

Browsers f up too much.

I just wish there was a --no-check-certificate option like in wget.

The browser's role is to inform, not to enforce. And informing it does very badly. If it did, it would say something like:

"Opera cannot verify the source of your connection. That means the certificate was not signed by a trusted authority. The certificate is self-signed, and presented as follows:

<information>

If this is a high-profile website, you can be certain that the certificate would ordinarily be signed by a trusted-authority, and you should not continue. However, many people use self-signed certificates for their own purposes, because even though the end-point can not be verified against a real attacker, the connection is still encrypted and protected against general eaves-dropping."

So you are plain wrong that the certificate is garbage. It provides a function, namely making it extremely hard for general observers such as ISPs and governmental agencies, or even !!! tor endpoints from reading your plain-text data.

Anyone wanting to perform data mining on these connections would have to generate on-the-fly fake certificates for every certificate that comes along prompting the security warning for every single site visited; a sure sign that something is amiss. This is not a form of data mining that can take place in reality as it stands.

Man in the middle attacks are extremely rare. They require a hacker being in the position to hijack your connection; ordinarily this only happens with wifi access, because it is so inherently insecure. It can be done by a proxy server; it can be done by an ISP, it can be done by agencies or agents that have access to important routers. It can be done if your DNS is getting spoofed. On the other hand, connection monitoring is extremely common.

When you connect to an unkown host via SSH, it will say "You're connecting to a new host we don't know, are you sure you want to continue?" And when you say yes, it will add the server's public key to your store of authorized_hosts. Actually the file on Linux is called known_hosts. Then, should the host change, you would get another warning, which would indicate that something is amiss. It would be completely self-defeating if every ssh client would start issueing unverifiable certificate errors.

Also, Opera says:

You attempted to reach www.google.nl, but the server presented an invalid certificate.
You cannot proceed because the website operator has requested heightened security for this domain.

But if the connection source is not trusted, how can Opera know that the website operator has requested "heightened security" for that domain?.

Is that a DNS thing?.

I can't find any information on it.

I posted this in Opera for Windows accidentally, but this is with Opera browser 31.0.1889.174 on Linux (RPM).

The openssl version is OpenSSL 1.0.1k 8 Jan 2015. Squid's version, for all it matters, is 3.4.4.

I wonder if there is any information as to when a certificate is considered "valid" by the newest Opera.

I have generated a self-signed certificate for personal use -- and maybe my problem is that the Squid version I use is somewhat older -- but the certificates that my Squid proxy server presents to Opera and that are signed by my "root authority" (it is a root authority in my world) are seen as invalid.

I might try upgrading my Squid version first but that's hard on Linux. Might do.

The self-signed was generated by using openssl:

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout <out.key> -out <out.pem>

And then I filled in almost every field that was (required) for the certificate. I don't know why this Opera won't accept them. Firefox accepts them just fine.

The new self-signed was imported into Opera as a root CA without issue. It is only the certificates that are now presented to it by Squid are seen as "invalid" without any reason given.

This is the post that follows the post that is being held in moderation, just in case:

Every person knows this, that uses SSH. Life would become impossible if every freaking host required some Official Party to sign his or her certificate. You could not do any random or hobby things anymore.

SSH clients could, you know. They could. They could simply refuse to connect. But that would not last long given the general open-source nature of those clients. People would object, entirely and effectively.

Maybe you need to learn a thing or two.

A SSH connection is no different from an SSL connection.

It uses public/private key pairs to encrypt the connection. In general, that's the same.

Furthermore, there are now millions of hosts that do not provide any form of personal log-in, but still use SSL to serve ads and the like. Virtually everything is hidden behind SSL now. That is why my proxy breaks it up, so it can still harvest those images for caching purposes.

There is more to the web than only the "public, High profile web". Sure, if Facebook presents an invalid or untrusted certificate, sure. I will raise my eyes and my eyebrows. But invalidity is not the same as untrustiness and Opera provides No information WHATSOEVER as to WHY the certificate is invalid.

It just says "invalid". Blunt. Non-informative. Because if it gave information, it would provide power to the people and put them in positions of power, and it doesn't want that, it wants to patronize and intrude. On the lives of people using it. For political correctness, yes. And all that.

Opera's message is not educational and not informative. It falls short of these marks. Obviously that is the same with Chrome probably, I haven't installed it yet here.

Installing Chrome is a bit harder on Linux.

So it does not empower people, and it does not empower them to make their own choices, nor does it even allow them to. It decides to be the gatekeeper when noone asked it to. It does not respect the user's wishes and is just a plain bad program in that sense.

It's supposed to be a tool, but now the user is the tool of the browser. Doing what IT wants.

General eavesdropping is much more common than man-in-the-middle attacks and SSL certificates that are not signed by "official authority" provide just that: protection against that.

So saying that the connection is not protected (against the most common threats) is a plain misinforming non-truth. You can call it a falsehood.

Or even a lie.

They are not garbage, you are garbage for saying these things. The whole of the SSH world uses these things to connect to each other, only high-profile uses would provide server public keys in advance. Software repositories, the ones that are not overly official, require you to trust the certificate that is presented. In a billion to one cases, that will be fine. Whoever thinks to impersonate a file-hosting service providing packages for a linux system?. We are not talking about high-profile security here, and neither are most web-uses.

The number of thrown warnings compared to the number of real threats is just ridiculous. For every one real threat, a billion users will have been warned against false positives. Of course, given current circumstances. Because of the prevalence of these warnings, most users click continue anyway, and that is why "Opera" now forbids that choice. Because its own informational messages are so non-informational, people just habitually ignore it.

That is not a problem with the user, that is a problem with the browser and the choices it makes. That is the problem with the exaggeration of the security risks involved, and the vast blowing up of how important every single connection is, even if it is to a host serving ads. Opera (and other browsers, perhaps) non-discriminately treat ALL hosts as high-profile and high-securty, when it is not true, it is nothing but. The biggest threat is not in connecting to a new host, but connecting to a known host that suddenly sees changes.

THAT is where you can alert people. Everything else is nonsense.

Any NEW connection to an as yet UNKNOWN host runs NO risk of being subject to treachery because on a NEW host (given no domain name spoofing) you won't have any account sitting there or personal information being transfered there that is any important.

This is such blown up. It does not cater to the real security needs of users and provides so many false positives for threats and attacks, that they become absolutely worthless. Users are not educated in the slightest and overstimulated with nonsensical scary tactics that make them unable to discern what is happening when.

So apparently, Opera and others have decided to give users no freedom whatsoever at all, as if that is the solution. It is not. It is the problem.

Users can decide for themselves if they are well-educated and they are not well-educated with messages such as these and the incidence (vast number of them) that are being presented to them in low-risk situations.

It's the same with anti-viruses, people (companies) such as Microsoft and other vendors that have a stake in selling more software, present viruses as extremely high risk when they are not. "Your system is unprotected." F off, I haven't had a virus in 20 years and I have never used anti-virus in that time. Except on occasion to verify and there was never anything wrong. I won't have AV dragging down my system, but that's me. And because of the way that this is being tackled "you have to be protected by someone else" users never learn, because they are not given the opportunity to do so.

Even my father is scared of viruses and he has never used a computer.

My post is being held for moderation. I can't post anything now.

When using a site with a self-signed certificate, Opera will insist that your connection is NOT secure just because the certificate can't be trusted, even if you said "go ahead anyway". It also does NOT show any "https" in the address bar.

For these reasons it is almost impossible to know if you are using an SSL connection. Yes, when you click on the globe icon it tells you there is a certificate; that is the only indication. This is really bad.

Only after: exporting the certificate; then importing it as a "basic authority", and then RESTARTING Opera, will Opera claim that the connection is safe. This is just ridiculous.

It should be known that at least your connection is secure because it is encrypted. Even if you can't know the authenticity and identity of the website you are dealing with - who tells you don't? - at least you are protected against eavesdroppers. Opera should show an indication that you are using an SSL connection (for example, by allowing me to see the https/http).

It's not like I hadn't noticed before, but the new Opera's download manager is pretty bad.

So today I am on a EDGE link of 20 kB/s downloading an 170 meg file and paying per megabyte.

I pause the download but the link is something that depends on permission based on cookies. Perhaps I have deleted my cookies in order to troubleshoot something, perhaps the server is annoying in any case because you have to start the download within 30 minutes.

This means the download/resume fails. What does Opera do? /IMMEDIATELY DELETES THE FILE/.

I was at 87 meg and though I thought this could be the case, lazily I chose to start again thinking the file would still be there. Wrong. Also, Opera immediately overwrites the old file which, in contrast to the zillion other deleted files on my drive, large and small, becomes completely unrecoverable.

The worst kind of behaviour for any download manager you could get. The wind has to blow in the right direction or you'll lose everything. The whole idea of a download manager (which was excellent in the old Opera) is to provide a measure of safety. NOT DELETING DOWNLOADS ON THE FIRST ERROR.

I don't know. Sometimes, as in, lately, it seems like everything that can go wrong, will always go wrong. I guess that is some sort of well known law.

The local wifi doesn't work, meanwhile the mobile data provider doesn't update its status which causes you to not be able to buy extra megabytes, which means..... ;-).

Etcetera.

Then the SIM I have that does have a lot of data on it, doesn't work in this area for lack of coverage. Sometimes all of the universe seems to conspire against you. And all I want to do is download a simple compiler which in this case comes in a package of 170 freaking meg. It's just incredible how much technology can fail you when you depend on it for something important.

Then the self-service website of that provider fails completely.

Which means I am downloading, but it might get interrupted for lack of money on the account.

But if I pause it, it will not resume.

I am so happy :p.

And without a bundle the download will cost me 25 euro to begin with.

No other recourse but to pause the stupid bastard and hope for something different tomorrow.

A horse, a horse, my kingdom for a horse.

I think the Opera Mail client is one of the best looking clients that doesn't feel like a full fledged something like Mozilla Thunderbird.

It is just a shame it doesn't seem like there will ever be any development on it anymore. Just a version 1.0 and that's that?

Personally I don't like the collection thing in which these virtual folders go and aggregate everything and you can hardly customize anything about it. It is one of these things that is touted as a great feature and it is the one feature I despise.

Even if it had seen just one developer hour a day, it would have become an awesome product the likes of which had never been seen before.

Not that I anticipated a real future for Opera after they changed course. I prefer Opera over Chrome still for reasons pertaining to the same feelings I had with the old Opera. But important addons also fail to work in Opera. I mean the Chrome addons. I do love the new bookmarks thing though. Doesn't always work as excellently, but still an amazing thing. And the visuals of it is awesome. Such a marvellous environment graphically and user-interface speaking.

Much better than the Stash.

But what competitors exist to Mail? Virtually none. Thunderbird is a clunky and ugly bird like all the Mozilla products. One feature a client like this needs is: only download the last XXX emails.

You want it to be light-weight for use on netbooks and small laptops. I dislike the full weight of a full client like Thunderbird.

Other than that, the biggest requirement is for drafts to use an IMAP folder, and for it to actually be possible (!!!!) to continue a drafted message in a normal way. (BIG FAIL!). There is also an issue with HTML composition, but well, I forgot. I think a big fail was not being able to mark-up sections of text independently, such as centering only a paragraph, and not the whole thing.

I have it installed on this laptop now but for lack of a big pipe I cannot use it to download my emails. It will just download everything which is way too much for this data link.

A shame though. Spending all that effort to create something and then to abandon it straight away is a bad way to spend your energy.... ;-(.