Author Topic: More Certificate problems  (Read 5231 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
More Certificate problems
« on: November 26, 2014, 05:48:09 AM »
Oh dear.  I was having problems accessing my mobile phone bill PDF from a website https://ecm3.fxdms.net/..., using my favourite secure browser K-Meleon74.24, with SSL totally disabled leaving only TLS 1.0 (unfortunately), 1.1 :) and 1.2 :D.

K-Meleon gives me this message:
Code: [Select]
An error occurred during a connection to ecm3.fxdms.net. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

As it happens, I can access this PDF using IE11, which has had SSL disabled in the Internet Options Advanced>Security.  OTOH, Internet Explorer is insecure by design which is why I use it only when all else fails and then I desperately need Avast! to protect me...

My problem is,  why is Avast issuing SSL certificates?  SSL is well-known to be fatally compromised, and TLS should be used instead.  And why doesn't Avast see my SSL-disabled K-Meleon and give me a TLS-capable certificate instead?  We won't talk about using Symantec/Norton here...  :o

Gordon.

REDACTED

  • Guest
Re: More Certificate problems
« Reply #1 on: November 26, 2014, 06:04:03 AM »
BTW, what is this alert in the Certificate?  It's from IE11...

Gordon.

REDACTED

  • Guest
Re: More Certificate problems
« Reply #2 on: November 27, 2014, 10:15:57 AM »
OK, I have discovered why IE11 can get the PDF in my OP.  Despite me unchecking SSL3.0 and SSL2.0 in Internet Options>Advanced>Security, IE11 still uses SSL.  Yes, I have restarted the computer.  I off the box every night before bed.  And I have checked TLS 1.0, 1.1 and 1.2.

You can test your IE at https://poodle.io/  and https://poodletest.com/.

IE is a sl\\ very noxious browser.

So this leaves the question, " why is Avast issuing SSL certificates?"

Gordon.

REDACTED

  • Guest
Re: More Certificate problems
« Reply #3 on: November 28, 2014, 12:55:46 PM »
Further to the disaster:  Changing the Avast setup in Control Panel and removing Web Protection and Browser Protection, then disabling the Avast certificate (unfortunately Windows gives no GUI dialog to "distrust/remove") in IE11, and also removing it from K-Meleon--I had imported it to see if it would work--returned me to the prime cause of my troubles.

What Avast did by injecting a certificate onto a hopelessly insecure website was to ensure that IE (any version) would compound the sins by successfully loading it.

With the Avast certificate disabled, I get a message in IE11:
Code: [Select]
This page can’t be displayed

Turn on SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2 in Advanced settings and try connecting to https://ecm3.fxdms.net  again.

Using the handy-dandy fixit supplied on the error page, I disabled TLS totally, and enabled SSL3.  Instant success!.

It seems I have very unfairly maligned IE.  I will not say "sorry", but I will state unequivocally that Avasts behaviour led me to justifiably make the statements, by hiding the facts of an insecure website.  The methods used by Avast add nothing to internet security, but reduce the chances of surfing safely by presenting insecure sites as up-to-date.  There can be no justification for modifying someone else's certificate.  The only good thing to come out of this was Avast's inability to add its certificate to K-Meleon and Opera, so I could see the danger signs, the red flashing lights.

Devs:  Avast is very good at its core responsibility, finding and telling us about infected files, "anti-virus".  I see no reason to abandon a quality product.  But don't stray from your field of expertise.  Skills acquisition is good and laudable--but make sure you understand all the nuances before you publish.  At this stage, you don't.

Gordon.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31210
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: More Certificate problems
« Reply #4 on: November 28, 2014, 01:05:09 PM »
Quote
At this stage, you don't.
If you can do a better job, go ahead ;)

REDACTED

  • Guest
Re: More Certificate problems
« Reply #5 on: November 28, 2014, 01:15:28 PM »
Eddy, please don't take this the wrong way.  I'm trying to play the ball here, not the man.  At the moment, I'm leaving Avast to do what I think it does best, detecting "viruses".  At the moment, I'm doing what I think I'm reasonably good at with the help of some excellent initiatives from various sources (TLS for one), detecting unsafe websites.

So yes, I'm going ahead.

When Avast understands the nuances of internet security protocols, I'll let it prove itself.

Gordon.