Searching RISCOS Open
Colin Ferris (399) 1798 posts |
When searching RISCOS Open site on a phone I get this error- This server could not prove that it is www.riscosopen.com; its security certificate is from www.riscosopen.org. This may be caused by a misconfiguration or an attacker intercepting your connection - Any Ideas? |
Stuart Swales (8827) 1326 posts |
Have you gone to the wrong site to do your search? This site is www.riscosopen.org |
Steve Pampling (1551) 8126 posts |
The domain name is riscosopen.org, not riscosopen.com The certificate of the server is for www.risosopen.org and is valid only for that server – i.e. host = www in the domain riscosopen.org It is possible to have SAN values that allow for other host names and other domains, but that isn’t the case for this certificate: | ssl-cert: Subject: commonName=www.riscosopen.org Edit I should probably add that www.riscosopen.com does resolve to the same IP as www.riscosopen.org, so either name is valid in DNS, but the certificate doesn’t match up. Edit2 You probably haven’t noticed before as you’ve used browsers are doing http first and the redirect on the server takes you from http://www.riscosopen.com to https://www.riscosopen.org, your phone is likely doing HTTPS first and thus going direct to https://www.riscosopen.com and hitting the certificate invalidity and then warning you of a possible Man-in-the-Middle attack because the HSTS enabled on the server is instructing the browser to do exactly that. An unfortunate consequence of enabling the HSTS while having a certificate that doesn’t match all possible DNS names Edit typo corrected |
Stuart Swales (8827) 1326 posts |
[Covered by Steve’s Edit 2] |
Steve Pampling (1551) 8126 posts |
One thing that web site maintainers should note is that real world1 browsers are increasingly adding “HTTPS first” as a feature in a progression to having it as a default option and then mandatory. So, if you have a web site, you need to look at a number of things:
Hmmm, day 5 of leave and my mind is switching back into IT support mode. Maybe a bit of gardening instead. 1 Real world browsers as opposed to RO browsers. 2 Need in this case is one of those “how do I ensure that my users aren’t having their connection intercepted and personal/financial data collected and abused” |
Colin Ferris (399) 1798 posts |
Have found works search – “Riscosopen.org USB floppy William” Does anyone know what happened to William? |
Stuart Swales (8827) 1326 posts |
Think he gave up on that: https://www.riscosopen.org/forum/forums/5/topics/8961?page=2#posts-84937 |
Rick Murray (539) 13751 posts |
The site is misconfigured. There are various aliases in use (. org.uk, .co.uk), and in a quick test, only the .org.uk redirects. I think this is best handled by a DNS entry (CNAME?) to tell everybody that .org is the preferred domain. 1 Be aware, a fair few Google searches for ROOL stuff will take you to the wrong domain and it will cause scary warnings to appear. 1 That’s how going to the .co.uk version of my site tosses you over to the .eu one. |
Bryan (8467) 468 posts |
Why wouuld it not? |
Steve Pampling (1551) 8126 posts |
Quite a number of reasons, foremost:
That’s not the point though. The point I made was that although the two URLs resolve to the same IP, the behaviour of the browser on getting to that IP depends on the URL used to get there. Rick is right that changing the DNS by replacing the A record of www.riscosopen.com with a CNAME of www.riscosopen.com —> www.riscosopen.org would have the client browser expecting to connect to www.riscosopen.org However, he will find that .co.uk does redirect, when the initial connection is on HTTP |
Bryan (8467) 468 posts |
You need to read what you posted. |
Steve Pampling (1551) 8126 posts |
Yep. Typo. Should be …same IP as www.riscosopen.org Although the comments 1 & 2 above are correct too.
As an example: uhmeded.uhcw.nhs.uk or apps.uhcw.nhs.uk (and a few others) The cert is a wildcard so applicable to all, the URL determines the target host and port used to connect to the host. A bit more complicated than any RO user needs though. |
Rick Murray (539) 13751 posts |
Speaking only for myself… I’ve bookmarked the Recent Posts page, and I just call up the bookmark and go from there. I think Android Chrome these days tries hard not to deal with http only sites. Leading to the interesting situation in that if I find a PDF datasheet and it’s on a non-encrypted site, I’ll simply get a blank window with a lengthy google.com URL at the top. Google’s A-grade programmers at work again. <sigh> |
Colin Ferris (399) 1798 posts |
William of Acorn USB floppy drive fame talked about contacting Sprow did this happen? William Email address! |
Rick Murray (539) 13751 posts |
Just fiddled with my site, and it looks like the redirects are simply 301s set up in the .htaccess file, and the reason the “www.heyrick.co.uk” doesn’t choke is because it’s listed as an alternative in the certificate data; along with the alternate “www.heyrick.eu” and the main “heyrick.eu”. That works too. Either way, ROOL needs to sort out how the aliases are handled because modern browsers default to trying https and, well, awooga! this is bad! Should I even mention the lack of an AAAA record? ;) |
Rick Murray (539) 13751 posts |
If you’re looking at a possible way to get data from an old floppy, then this might be of interest: You’ll need some sort of PC (unless anybody fancies taking a crack at writing a driver?) to communicate with the device. |
Stuart Swales (8827) 1326 posts |
And there are plenty of us with functioning RISC PCs etc. with floppy drives. |
Steve Pampling (1551) 8126 posts |
I’m looking to retire before someone insists we have to have IPv6 connectivity |