Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Bill St. Clair]

SSL access has been down for me all day. I submitted a support ticket to Hosting Matters, our web service provider. Tell you more when there's more to tell.

[Shevek]

Firefox . . . Works on Windows, Macintosh, and Linux. Auto-updates, if you let it.

Caution: Firefox runs very slow on older hardware because of the convoluted XUL interface. If you are not a browser power user, then consider Opera or K-Meleon. I use the latter a lot and is very snappy and fast.

I sure hate being the only dumb one.

You're not dumb, just ignorant about computers. I'm quite ignorant about nursing and the medical industry!

SSL access has been down for me all day. I submitted a support ticket to Hosting Matters, our web service provider. Tell you more when there's more to tell.

You're blog is down too. Same host provider?

[Bill St. Clair]

The SSL log file had reached the file size limit. They removed it and restarted the SSL server. SSL access is back up.

My blog is hosted by nearlyfreespeech.net. Works for me now. tcftalk.com is hosted my hostingmatters.com.

[Bill St. Clair]

Well, my blog WAS broken. Deleted a spam user account twice again, which caused the guest account to be removed, which only allowed registered users to see anything. Fortunately, the last time this happened I created a page with instructions for fixing it. So it's fixed now.

[Bill St. Clair]

Prompted by a complaint from Hosting Matters about our scripts or .htaccess files generating illegal URLs, I finally figured out how to get a free SSL certificate for tcftalk.com. You no longer need to use https://erte.hmdnsgroup.com/~tcftalk/ for encrypted access to the boards. You can now use https://thementalmilitia.com/forums/ . Since the new certificate is for the proper domain, you can also tell your browser to accept the Certificate Authority (CA) permanently, and stop having to verify the first access each time you relaunch your browser. Firefox gives an option on its warning dialog for this. Don't know about other browsers.

Note that you'll have to enter your user ID and password the first time you login with https://thementalmilitia.com/forums/ , but if you have cookies enabled in your browser (the default for most browsers), it will remember them after that.

I have to change an .htaccess file to make the wiki properly respond to https://tcftalk.com/wiki/ , but I expect to do that tonite.

If you use encrypted (https) access to the forum, please change your bookmarks to:

https://thementalmilitia.com/forums/

Yay!

[Claire]

Yay! indeed -- and thank you, Bill. It was quite a surprise to get an email from "Abuse Investigations" at our hosting service. Poor innocent us; we had no idea there was any problem. Neither Debra nor I even understood what the Hosting Matters support folks were talking about. So thank heaven for Bill, his tech skills, and his efficiency.

Off to change my bookmarks right now.

[Bill St. Clair]

OK. http://tcftalk.com/wiki/ works now, for me, and the old erte.hmdnsgroup.com address does NOT work. So if the new IP address hasn't propagated to your DNS server, you'll have to add the DNS to your /etc/hosts file to get to the wiki. I changed the New Box accordingly.

[Bill St. Clair]

I just fixed the original problem that Hosting Matters complained about by redirecting http(s)://erte.hmdnsgroup.com/~tcftalk/* to https://tcftalk.com/* .

That will break the board completely for anybody who doesn't have the correct IP address. Hopefully, the DNS change has propagated by now.

There IS a work-around. You can use the IP address directly:

  http://63.247.128.94/clairefiles/
  https://63.247.128.94/clairefiles/

The encrypted version will cause your browser to complain that the domain in the SSL certificate is not 63.247.128.94, but it will work.

Adding a line to /etc/hosts will also work:

  63.247.128.94  tcftalk.com www.tcftalk.com

[barkingowl]

Thanks Bill! I can see the little lock icon displayed in the upper right corner of my Safari window. 

[Bill St. Clair]

I got a notice today from cacert.org that our SSL certificate would expire in 45 days, so I renewed it today, while I'm thinking of it. I expect Hosting Matters to install it soon. When they do, you may get a warning that the certificate is unrecognized, and you'll have to tell your browser to accept it, permanently if you don't want to see the warning again, or temporarily if you do.

[username]

If you really want to have an effectively secure forum there are several things that need to be done beyond SSL. Of course like in anything, there is risk of users being undercover agents gather information essentially compromising the most secure enviroments.

Honestly, the only real solution is to keep your groups small and your members well known.

Userame

[Bill St. Clair]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Somebody asked me to post the fingerprints of our SSL certificate. I sent
email, but it appears to have not arrived.

The certificate's fingerprints are:

  SHA1: C3:B7:FD:6B:9C:9B:2C:13:DF:07:8E:61:55:E2:19:51:D4:35:37:98
  MD5:  8B:FD:FB:19:B8:06:04:8C:13:7B:D3:F4:1F:34:FC:77

Because I'm using a cacert.org free certificate, I have to update it every
six months. From now on I'll post the fingerprints, signed with my PGP key,
when I update.

There is some concern with the Debian key generation problem. I don't think
our certificate has that.

The TMM certificate was generated by cacert.org. http://blog.cacert.org/
says:

"Luckly, the CAcert Root Class 1 and 3 keys are not affected as these were
generated before the vulnerability was introduced into Debian[3] in
September 2006. The process that signs CSR (certificate signing requests)
and therefore all signed public keys does not use any key generation, so
they are not affected by CAcert. Conclusion: CAcert does NOT have to
reissue every signed certificate."

cacert uses Debian internally, so there is a tiny chance that somebody
snuck into their system using a forged SSH key, and stole their root
certificate private key. They didn't think that was enough of a threat to
regenerate their root certificate, though.

The TMM certificate's private key was generated by site5.com's automated
system. I can't find anywhere whether they use Debian for that. It appears
from /proc/version in the SSH environment on our hosting machine, that it
is Red Hat 3.4.6-9. That doesn't imply that their SSL certificate signing
request generator is also running Red Hat, but I'd call it likely.

Bill

-----BEGIN PGP SIGNATURE-----
Version: 9.7.2.1608

wlcDBQFIXXYzesiiYincerIRCKPHAQD8DYffJc1tEQ8kevCjw4Q6VJUcFzowgmDl
2oTYVEzA1wEAk/cb5HkCATVTLzf7iGRIai/MOKt7yznpNHDYDVQTZ8E=
=hFUk
-----END PGP SIGNATURE-----

[gridboy]

Hi,

 I'm getting a warning from my browser that these pages are partially unencrypted.
Is that the intent?

Thanks,
gridboy

[Bill St. Clair]

Hi,

 I'm getting a warning from my browser that these pages are partially unencrypted.
Is that the intent?

Thanks,
gridboy

There are two places that warning can come from:

1) The Google Adsense banner at the top of the page

2) User avatars stored on external web sites.

Those are expected. They could possibly be used to associate your IP address with that page you're browsing here.

[Apple]

Thanks for the heads-up Bill. I did indeed not receive any e-mail from you; how odd. Thanks also for keeping us up to date regarding the certificate from now on. And I didn't even have to ask!

Finally, I never saw this thread until it was posted to again today. My bad, it must have slipped through the cracks.