SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

Wrong certificate displayed before authentication

 
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum
View previous topic :: View next topic  
Author Message
pzabel



Joined: 02 Jun 2009
Posts: 1
Location: New Jersey, US
PostPosted: Fri Jun 05, 2009 8:32 pm    
Post subject: Wrong certificate displayed before authentication
Testing with version 6.01

I am using Username/Password login option and I keep getting browser error that certificate does not match web site.

This ONLY happens if user has not authenticated yet. If the first site he happens to go to is SSL (https://www.mybank.com), the browser should redirect to firstspot.org:5788, but error comes up instead.

Funny thing is, the error says identity of website is www.mybank.com but if you view the certificate, it shows the self-signed Internet Widgets Pty Ltd. The server is offering the wrong certificate to the client browser.

If user goes first to NON-SSL site the login page comes up without error. After authenticating, SSL sites work fine.

I have tried enabling SSL for login page, enabling 3rd party SSL certificates, installing my own certificate in apache. Nothing works so far.

Any ideas?

Phil
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435
PostPosted: Sat Jun 06, 2009 4:03 am    
Post subject:
Apart from the browser warning, the login process should work fine.

This is a bit undesirable and is actually by-design. Since FirstSpot needs to "decode" the https (SSL) URL so that it can redirect it to the original URL, FirstSpot will pretend to be the public certificate server. After you clicks "process anyway", FirstSpot will successfully get the original URL and redirect to the original URL correctly after login.
_________________
~ Patronsoft Limited ~
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435
PostPosted: Mon Jun 08, 2009 5:53 pm    
Post subject:
One more thing we want to emphasize is that this is NOT really a limitation of FirstSpot, but rather the security feature of SSL. FirstSpot has no way of redirecting a https request to the login page, unless the client clicks "proceed anyway" button.

Imagine the below security attack - a rogue ISP wants to pretend to be your banking secure login page to capture your personal information. Since the banking login page is SSL encrypted, the client will get a warning if the banking login page is somehow tempered with by the ISP (i.e. man-in-the-middle attack). The reason is that the ISP cannot pretend to be the CA as it doesn't have the CA's private key.
_________________
~ Patronsoft Limited ~
Back to top
Display posts from previous:   
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group


 
© 2001-2024 Patronsoft Ltd. All rights reserved. ::::: End Users Agreement ::::: Contact Us ::::: Site Map :::::