Bugzilla invalid certificate issues

Hi all,

The bugzilla has always had an invalid certificate, but in the past week or so Google Chrome has begun treating it as a dangerous site. Meaning every time a new page is loaded a full-page warning splash appears and users have to click through it. This is getting really frustrating.

What would it take to fix this?

+1. Chrome been warning about the certificate for a year or so now, with steadily increasing severity. Would’ve been nice to fix it back then.

But, now, it’s basically an emergency…the warning has made the https parts of the site effectively inaccessible to normal users running Chrome.

A couple people have mentioned that llvm.org was “not working” to me recently. And, I hadn’t upgraded Chrome yet, so I didn’t understand what they were saying at the time. But, now I have: the full page blocking warning basically makes the site appear inaccessible, unless you’re looking very closely.

Is there some difficulty with buying a new certificate?

Switching to letsencrypt would be best, and free, of course, but that takes a little more infrastructure work to set up, and I’d understand if maybe nobody’s had the time to do that yet. Which is fine – but in the meantime, can someone just pay for a new certificate from any of the standard CAs?

Probably needs attention from the board ASAP

Attached Message Part (157 Bytes)

Letsencrypt only offers domain validation certs. I think an EV cert would be more appropriate for llvm.org.

Bugzilla will be fixed very soon.

-Tanya

Interesting, why do you think EV certs are more appropriate? They don't offer any security benefits beyond those offered by DV certs. Given that much of llvm.org isn't even currently accessible over TLS, going straight to an EV cert seems overkill.

One nice aspect of Let's Encrypt certs is renewals are automatable so no one needs to keep track of when a new cert is necessary.

bugzilla has been updated.

llvm.org as a whole is next but its a bigger task due to SVN and we are making sure its done correctly as SVN cert changes are not fun.

-Tanya

Hi Tanya,

I still get the error... even after shift+reload. Any ideas?

cheers,
--renato

EV certs attempt validate the identity of the organization that holds them. That is a nice assurance to have from a place that makes the thing that compiles your code.

Although I appreciate that concern, downloads are currently available only via http (or via https with a TLS cert warning about invalid common name) so any improvement here would be good (as just happened with bugs.llvm.org)

As an aside, EV certs don't really offer a guarantee of identity validation (indeed EV certs have been misissued in the past [1]). They're really a form of Jackson's and Barth's "finer-grain origin" [2] which, as they point out, isn't respected by the browser's same origin policy. Although I'm not aware of any studies on this, I'd be shocked if even expert users noticed that a site moved from EV certs to DV certs. There's much more security to be had with HSTS.

1. Google Online Security Blog: Improved Digital Certificate Security
2. https://seclab.stanford.edu/websec/origins/fgo.pdf

Generally, there are two visible differences:
(1) Historically, browsers used to display EV vs DV with different
colors. I think they gave up on this.
(2) The insurance sum tends to be greater.

Technically, there is no point to EV and I agree that HSTS is likely the
better deal. That said, let the admin work it out.

Joerg

llvm.org/bugs -> bugs.llvm.org

However, https on the old still breaks, so I can't see the message. We
need a wide announcement, if there wasn't one (I wasn't monitoring).

The new URL works for me now.

cheers,
--renato

Hi Tanya,

I still get the error... even after shift+reload. Any ideas?

llvm.org/bugs -> bugs.llvm.org

However, https on the old still breaks, so I can't see the message. We
need a wide announcement, if there wasn't one (I wasn't monitoring).

I sent email to all the dev lists and posted on twitter. I was hoping that the redirect would bypass the message but apparently it doesn’t. Those effected though should see the posts to the list or twitter.

-Tanya