Security certificates and the 2016 web.

Loads of sites that should have good certs are coming up as not.

Is this the latest round of hacker a-holes vs everyone else? Russia, China or Anonymous?

Examples?

Error (expired or invalid)?

That's the one, but it's turning out to be an amazing number of sites. It's almost a if the time for new certs came early or, more likely to me that someone's playing havoc with the net.

GoForSmoke:
Is this the latest round of hacker a-holes vs everyone else? Russia, China or Anonymous?

The certificate will be stored on your computer. Regardless of where the are stored, they cannot be modified without detection (different error message). They are essentially a digitally signed document. The check can be done anywhere (is today >= expiration). I don't think there is any way to fake / alter / hack an expiration.

Have you examined any of the certificates? Maybe there is an issue with a particular vendor.

Is your computer's clock correct?

Certificates (for https) are stored on the server and downloaded to the browser during key and cipher negotation.

The web has been quietly migrating from SSL to TLS since the poodle / beast exploits which surfaced a couple years ago. As part of the migration, some intermediate public keys have been replaced this year, before the expiry date of previously issued certificates. In this case, the sysadmin might neglect to replace the intermediate certificate [1] when the local certificate is renewed, causing an unexpected expiry error at a later date. There are many other possibilities but intermediate expiry has the potential to effect many dependent certificates at the same time.

[1] Hands up. Luckily I caught it before anyone saw an expiry error in their browser.

I hadn't looked, never have, probably won't know half of what I see.
It's been many sites, first one I made an exception for was the Arduino site, yesterday it was Google!
What didn't help was yesterday Mozilla updated Seamonkey that now won't run on my old WinXP PC.

MattS-UK wrote:
Certificates (for https) are stored on the server and downloaded to the browser during key and cipher negotation.

The web has been quietly migrating from SSL to TLS since the poodle / beast exploits which surfaced a couple years ago. As part of the migration, some intermediate public keys have been replaced this year, before the expiry date of previously issued certificates. In this case, the sysadmin might neglect to replace the intermediate certificate [1] when the local certificate is renewed, causing an unexpected expiry error at a later date. There are many other possibilities but intermediate expiry has the potential to effect many dependent certificates at the same time.

I won't worry about it then.

I need to build a new PC though perhaps the new RPi PC OS could give my Sempron machine new legs.

Google's current certificate...

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            48:2a:fa:40:26:f3:e6:ba
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Dec 15 14:07:56 2016 GMT
            Not After : Mar  9 13:35:00 2017 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:bc:b2:f3:1a:16:3b:c6:f6:9d:28:e1:ef:8e:
                    92:9b:13:b2:ae:7b:50:8f:f0:b4:e0:36:8d:09:00:
                    e4:84:51:57:7f:6c:39:65:f0:a1:20:c9:37:36:64:
                    e1:06:64:f2:76:6e:2b:97:4a:fb:4e:5a:a8:35:f9:
                    0d:73:c5:eb:fc:ff:96:26:d0:e4:bb:c6:a2:d9:1f:
                    ee:b0:55:8f:ad:ac:99:64:6b:65:59:de:81:a4:17:
                    c8:e6:35:6e:21:a1:f2:4a:d2:d9:c3:bf:88:32:1b:
                    47:7d:00:e8:d7:0b:30:98:fc:74:b3:19:80:3a:a1:
                    1e:a1:77:17:e3:9c:79:1b:c2:ca:4f:59:fb:f2:bd:
                    0d:5f:c6:e3:00:cd:2e:a6:4e:5d:b1:e8:37:40:25:
                    4a:35:23:e0:55:4b:9e:20:03:37:b7:fe:41:e8:6a:
                    6a:2f:44:76:72:3a:7e:1d:a7:6c:24:0a:fd:de:5d:
                    1b:b8:12:1f:19:4f:75:d6:4e:27:b6:e6:37:27:36:
                    14:11:b4:3b:c1:aa:d9:4f:b6:c1:4f:51:48:5f:a2:
                    74:46:91:43:68:8c:62:22:14:be:94:76:47:ce:22:
                    8f:e6:96:fe:41:41:85:9d:a9:10:9a:09:6e:fc:bd:
                    43:fa:4d:c6:a3:55:9a:9e:07:8b:f9:b1:1e:ce:d1:
                    22:49
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:www.google.com
            Authority Information Access:
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier:
                BB:49:C7:DE:F5:B9:E8:E7:2B:CA:DC:DA:2C:AD:92:7A:FD:26:55:BD
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.11129.2.5.1
                Policy: 2.23.140.1.2.2

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha256WithRSAEncryption
         94:cd:66:55:83:f1:16:7d:46:d8:66:21:06:ec:c6:9d:7c:1c:
         2b:c1:f6:4f:b7:3e:cd:01:ad:69:bd:a1:81:6a:7c:96:f5:9c:
         27:f3:b4:3c:f6:fb:5d:f5:d5:23:1f:ae:98:04:14:27:d5:71:
         ff:78:14:1c:b3:47:84:dd:24:f8:49:54:49:20:08:6a:02:a0:
         c7:fb:60:f9:2f:46:8b:3b:16:33:dd:ba:b6:a5:dd:ab:a2:69:
         04:b2:6b:f6:71:39:ce:0f:7f:4c:4f:64:23:b6:1c:a6:5c:7d:
         ac:0a:98:ca:a2:46:d7:76:ba:c7:37:5e:f9:8d:94:6b:c6:ef:
         aa:0b:4f:be:d7:bd:72:fa:94:e0:75:0b:06:9b:6c:1c:b0:21:
         30:37:bf:96:7e:42:b0:8e:84:2b:75:02:71:bf:6b:79:4f:22:
         9f:cc:82:68:7f:1d:b7:3a:c5:c9:4a:da:72:93:2e:ad:e5:a7:
         05:e6:a3:39:85:d1:3d:37:42:15:c7:1e:8c:08:7f:c7:21:f9:
         48:a0:ce:39:9e:2f:dd:33:fd:18:1b:42:94:01:f5:99:25:e8:
         3e:15:fb:dd:da:7b:8e:2a:59:aa:06:d8:e2:48:84:0c:dc:7e:
         85:fa:2b:99:35:05:04:31:c3:d1:e3:bf:b3:69:ea:c2:e5:8b:
         a4:11:fa:5d

The validity range...

        Validity
            Not Before: Dec 15 14:07:56 2016 GMT
            Not After : Mar  9 13:35:00 2017 GMT

...suggests @MattS-UK was spot-on for Google. Certificates are typically issued in 12 month increments. Dec 15 to Mar 9 suggests the certificate was re-keyed which may be because of a problem with an intermediate certificate.

GoForSmoke:
I hadn't looked, never have, probably won't know half of what I see.

Is that in response to my question about your computer's clock?

...yesterday it was Google!

Have you accessed Google since Dec 15?

I won't worry about it then.

Excellent choice.

The trouble began in the last few days, less than a week. The cert you found, you just got that?

My PC time and date are good. I should find the exceptions I made and remove them then see what happens.

Mostly I wanted to know if others are getting the same problem. That might tell me something.

GoForSmoke:
The cert you found, you just got that?

Yes.

Mostly I wanted to know if others are getting the same problem.

Other than the trouble here (which was just a simple expiration problem) I have not.

Google's intermediate certificate is nothing special so there is probably another reason for Google changing the TSL certificate on Dec 15.

It's possible that my system is outdated. Still had to make an exception to run another Google page. The Google cert shows Dec to Apr as you posted.
I poked into browser connection settings to see the OCSP parts but don't know enough to be confident about any changes I'd make. As now, my box decides if the cert is good (with SSL 3.0 and TSL 1.0 checked) and for many sites it is unhappy.

Have you examined the intermediate and root certificates for Google?

GoForSmoke:
It's possible that my system is outdated.

Did you say XP, then yes your system is outdated.

IIRC the minimum TLS version for PCI comliance is (or will be shortly) 1.2, which XP does not natively support. Mozilla were muttering about being less tolerant of servers running the older ciphers too.

Slowly but surely the internet is being dragged forward, beyond the older encryption protocols supported by XP. I don't suppose there are (m)any web developers still bothering to test against XP.

The RPi OS is beta but essentially it's Debian so should be fine.

I do have a choice then but keeping XP on a net machine is not a branch of that choice.

Thank you, forum members. I'd add a ! but I don't feel excited.
I'm getting too old and this is worse than the birthday ending in 0.

GoForSmoke:
I do have a choice then but keeping XP on a net machine is not a branch of that choice.

Thank you, forum members. I'd add a ! but I don't feel excited.
I'm getting too old and this is worse than the birthday ending in 0.

You were born in 1900 ?? ?? :grin:

Why does the forum software turn three consecutive question marks into a smiley?

GoForSmoke:
I do have a choice then but keeping XP on a net machine is not a branch of that choice.

No one is going out of their way to stop you but you will find maintaining that choice increasingly difficult. A little like a fax machine for electronic messaging. Nothing to stop you installing a fax but fewer and fewer people will accept fax messages.

Thank you, forum members. I'd add a ! but I don't feel excited.

One may correctly insert an exclamation mark in parenthesis to end a deliberately obtuse sentence; suggesting there is a further explanation. I looked that up after an American criticised my use of an exclamation mark to imply irony (!)

I'm not excited about replacing/upgrading and setting everything back up. It's not because of you.

If you watch Google's site you'll see they typically use certificates that are valid for no more than ~3 months.

Back in September there was an issue where they found that Symantec had inappropriately issued certificates for their domains. I seem to recall that Google's ~3 month policy has been going on longer than that, but it does give you some idea why Google is as paranoid as they are.