hoakley October 3, 2021 General, Macs, Technology

Last Week on My Mac: Web woes worsen

Little did I realise when, just over ten days ago, I passed on a warning that older Macs could have a problem looming with connecting to some websites. One comment there even suggested that it would prove just a storm in a teacup, and that the enthusiasts who would keep such old systems in use would take it in their stride. Since the first of those security certificates expired on 29 September, there’s been a steady stream of comments from ordinary users, those operating small websites, developers, and system administrators, documenting far more extensive consequences than any of us had anticipated.

For me, the realisation that this was no teacup came when I checked a local website providing real-time wind and weather reports. My iMac Pro running Big Sur, and my iPhone on iOS 15, both blocked the site as I have shown here. When I tried to connect to it on my M1 Mac mini, running the current beta of Monterey, that had no trouble. There are all sorts of issues which might explain that, but what I saw next I still find unbelievable: side by side, the iMac showed me the broken chain of trust going back through an intermediate certificate which had expired that day, to a root which was due to pass away the very next day. Yet on the mini, the same leaf certificate showed an entirely different certificate chain, including the new intermediate and root.

There’s something badly wrong when two systems on the same network report completely different chains of trust for the same leaf certificate. Yet it seems to happen elsewhere: when I check the certificates for any Wikipedia site, I see intermediate and root certificates from DigiCert which are totally different from those provided by Let’s Encrypt which expired at the end of September, yet several comments here assert that Wikipedia’s certificate traces back through the same expired intermediate and root used by Let’s Encrypt.

As many of you have remarked here, it’s not just a problem with browsers like Safari, but with a wide range of apps, plug-ins, and more. Some third-party browsers such as Firefox (but not Google Chrome yet) manage their own security certificates, which makes working around such problems both easier and more dangerous.

Why more dangerous?

Security certificates are intended to protect you from the hostile Internet. Every time that you allow a broken certificate to be ignored, you’re opening up another vulnerability on your Mac. It’s like the soldier who wears body armour deciding to leave out its protective plates because they’re too heavy and tire them out. The ultimate result is the desire, now being expressed by some in their comments, to be able to disable all security protection. Said soldier now wants to discard their body armour completely.

You don’t have to look too hard or far on the Internet to discover what’s lying in wait for you when you start disabling these protections. In another comment, someone had a close call when the URL they thought was that of their local library turned out to be an imposter, presumably sat waiting to catch the unwary, and those who’ve got so fed up with their browser’s security antics that they override everything they can.

It’s a sad fact of life on the Internet that there’s always someone waiting for you to make a mistake, and to exploit it before you even know what has happened. Safari and other reputable browsers incorporate layers of security to try to help you help yourself. Before you even consider turning any of them off, you need to be absolutely certain that the site you’re trying to open is what you think it is.

When your browser blocks or warns you about a site you want to visit, don’t just blunder on assuming that you’re right. You might be, but you have at least to wonder what’s wrong, and whether that’s a warning in itself. Check the site’s certificates and think through the implications of any error messages. If the identity on the leaf certificate doesn’t match the site you’re trying to connect to, be extremely wary, as that’s a common ploy of impersonators.

There’s one command tool which can prove useful, as it’s designed to test the App Transport Security (ATS) built into macOS. Substituting the name of the website you’re interested in, at Terminal’s command prompt type
/usr/bin/nscurl --ats-diagnostics --verbose https://www.website.com
to see a full diagnostic assessment of ATS.

You can also use OpenSSL in versions of macOS up to and including Big Sur to check security certificates in more detail than you’re likely to get in Safari. Again, with the website substitution
openssl s_client -showcerts -connect www.website.com:443
can prove useful. Apple documents this for developers here, and provides more information about TLS and ATS in its Platform Security Guide.

I think we’ve all been reminded in the last few days just what a mess Web security is, and how the routine updating of security certificates can break all hell loose. Please take care not to let your personal security go the same way.

21Comments

Add yours

1

fds on October 3, 2021 at 10:57 am

Let’s be clear on where the blame lies: if anyone, anywhere has issues loading a Let’s Encrypt-certificated page on a still supported OS, it’s a mistake made by the administrator of that system. You, the user, has nothing to do or try, other than maybe find some way to contact those responsible to fix their setup. It’s highly advised not to make trust exceptions for their botched configuration on your end.

Just the age-old issue with certificates, and their baked-in expiration, ensuring there’s a continuous task for someone, or something, in the future to keep on replacing and updating them in time. Used to be that certificates were issued for 2 years or longer, and people simply replaced them manually. A task of maybe five minutes, every 2 years, not that big of a deal… except, of course, you’d forget since it happened so infrequently. Or the previous person who used to do it changed jobs, and so on. Happens still with sad regularity anywhere still on a legacy manual certificate setup.

Let’s Encrypt actually brought a very important advancement on this issue. They spearheaded a fully automated system for keeping the certificates up-to-date, and setting their expiration low enough (only 3 months) that not properly automating the updates would become untenable real fast for the lazy sysadmin. Now, there remained one source of mistakes that’s catching out those failing examples you found: it’s only the end certificates that were that regularly expiring and in need of constant automated replacement, yet in a classic setup your server sends both the certificate that was issued specifically to you, and any intermediate certificates further up the chain. Let’s Encrypt’s automated system was devised, specified, and urged from day one to also keep those intermediate certs part of the automated update. Anyone making a mistake in their automation there, since the intermedia certificate didn’t need changing for years, now they’re broken.

And then the whole mess is basically also colored by another age-old issue and philosophical debate in software development. Being a stickler for failing fast and hard on a mistake, or proceeding as if there wasn’t anything out of place if you can have the smarts to fix the issue safely. You don’t fail, and the users are happier, except now the other party is not incentivized to fix their mistake, ever, and anybody else will be expected to include the same workarounds. With certificates, a classic case of this was setting up your server to not send the intermediate certificates at all. Yet some software still mysteriously worked, either having cached the right intermediate certificate from elsewhere, or automatically going out of their way to retrieve it on demand from the CA. For the developer mindset, the mystery is why does X work in the face of apparent failure. For the users, the mystery and the blame is placed on the ones that – actually rightfully – fail.

Same here. While even a website serving you an outright wrong intermediate certificate might load somewhere, somehow, and, hey, nothing wrong with enjoying your luck. In the end it’s still all down to the sysadmin to fix it on their end. And the sticklers among us would still wish it failed universally.

LikeLiked by 1 person
- 2
  
  hoakley on October 3, 2021 at 7:20 pm
  
  Thank you.
  I’m not sure that blame gets us any further forward, and is perhaps one of the reasons why these problems continue to curse us.
  In fairness, if you have to blame anyone, then you need to blame the lot – from the certificate system, through to browser engineers. They all keep insisting that it ‘just works’ when we know that it also ‘just breaks’.
  Everything stems from the rush to HTTPS because of all the exploitation of plain HTTP connections. Why on earth anyone should need to encrypt responses from a public met service I’ll never know, but if it doesn’t use a suitably recent version of TLS, our browsers throw a wobbly.
  That means that amateurs who have never learned how to run secure servers all of a sudden are force to dabble in a subject that they’re ignorant of, and trust others who tell them that it’s simple, all they have to do is X. But as we know, there’s a lot more to it than X.
  Howard.
  
  LikeLike
3

cwilcoxharvard on October 3, 2021 at 1:46 pm

“Third-party browsers such as Google Chrome and Firefox manage their own security certificates…”

Google Chrome does *not* yet manage its own certificate store. They’ve stated their intention to do so [0] but it hasn’t happened yet. Of course, it won’t change on iOS/iPadOS, on those the OS store *must* be used and Chrome on those isn’t really it’s own browser.

I remember what the other commenter referred to, server’s that didn’t sent intermediate certificates at all. It was common with less experienced admins but in their defense, the guides they were following often didn’t tell them to do so. It often wasn’t a problem for Windows users, their systems did cache intermediate certificates, but OS X and Safari users did have problems because they didn’t have a cache of intermediate certificates.

[0] https://www.chromium.org/Home/chromium-security/root-ca-policy

LikeLiked by 2 people
- 4
  
  hoakley on October 3, 2021 at 2:28 pm
  
  Thank you: I have corrected my error.
  Of course that begs another question, as why some users report that when Safari refuses to connect because of an expired certificate, how Chrome usually is able to connect without problems. Does that mean that Chrome ignores expired intermediate certificates?
  Howard.
  
  LikeLike
  - 5
    
    Zak on October 3, 2021 at 6:30 pm
    
    that’s not “begging the question”
    
    LikeLiked by 1 person
    - 6
      
      Zak on October 3, 2021 at 6:32 pm
      
      (sorry, my pseudo-html ‘pedantic mode’ tags didn’t appear)
      
      LikeLiked by 1 person
    - 7
      
      hoakley on October 3, 2021 at 7:28 pm
      
      Thank you. According to my English dictionaries etc. that is exactly what I mean:
      SOED meaning (b): “raise a point that has not been dealt with, invite an obvious question”
      Collins meaning c: “To suggest that a question needs to be asked”
      As I did exactly that and asked that other question, I don’t see what you mean, I’m afraid, pedantry or otherwise.
      Howard.
      
      LikeLike
    - 8
      
      Zak on October 4, 2021 at 3:38 pm
      
      Very well: I’ll concede that this usage has become common, even though I don’t agree with it! See petitio principii.
      
      LikeLiked by 1 person
    - 9
      
      hoakley on October 4, 2021 at 5:49 pm
      
      “has become common”
      Well, it was common over fifty years ago, so I don’t know how far back you want to go.
      Howard.
      
      LikeLike
    - 10
      
      Justin McMurtry on October 5, 2021 at 5:12 pm
      
      Howard: This cherished classic from the late William Safire’s On Language column in the New York Times explains, much better than I ever could, what @Zak is getting at here. Enjoy. =)
      
      LikeLiked by 1 person
    - 11
      
      hoakley on October 5, 2021 at 10:27 pm
      
      Several others have written on this phrase, among them Mark Lieberman on Language Log.
      What all seem to have missed – which perhaps is the result of them being USEng speakers – is that this isn’t an unusual use of the word ‘beg’. Since the 16th century, ‘beg’ has in BritEng been used to mean to ask politely, e.g. I beg your pardon, I beg leave to do something, I beg to differ. The contention that ‘beg’ is a strange word in this context is thus not the case with BritEng at least.
      In BritEng, I think you’ll find the phrase’s narrow rhetorical usage is rare, and overwhelmingly it’s employed in the sense that I commonly use it.
      Howard.
      
      LikeLiked by 1 person
    - 12
      
      Justin McMurtry on October 5, 2021 at 5:25 pm
      
      Here’s a version of the above link that should work even for NYTimes non-subscribers.
      
      LikeLiked by 1 person
    - 13
      
      hoakley on October 5, 2021 at 5:52 pm
      
      I’ve tweaked these to include the link, and can only apologise for WordPress’s intransigence.
      Howard.
      
      LikeLiked by 1 person
    - 14
      
      Justin McMurtry on October 5, 2021 at 5:46 pm
      
      Howard: Apologies for the multiple replies, trying to get it right. Please prune them as you deem appropriate.
      
      I’ve created a “shortened” URL for the article link that includes the lengthy string of parameters that allows non-subscribers to read it in full. That shortened URL is below:
      
      https://tiny.cc/safire-beg-the-question
      
      https://tiny.cc/safire-beg-the-question
      
      LikeLiked by 1 person
15

hstriepe on October 3, 2021 at 4:38 pm

I am getting a bunch of bogus certificate errors on my MB Pro M1 running Monterey B8 including sites like NBCNews. They come up as I leave the site!

LikeLiked by 1 person
- 16
  
  hoakley on October 3, 2021 at 7:23 pm
  
  Oh. I just checked NBCNews, and it doesn’t appear to pass full TLS v1.3, which may account for those errors.
  Howard.
  
  LikeLike
17

paul m white on October 6, 2021 at 12:40 pm

I’m a simple browser user with an older end of life Mac/system (El Capitan 10.11.6) and the explosion of certification errors while using Google Chrome has wrecked my browsing habits. In looking for some solution I read accounts by sophisticated users/professionals and haven’t a clue as to understanding proposed fixes for the problem. Indeed, it seems the problem is systemic to the web. So what is the simple users solution? I had to trust this web site because it failed the authentication check!

LikeLiked by 2 people
- 18
  
  cwilcox on October 6, 2021 at 1:32 pm
  
  what is the simple users solution?
  
  The “simple” solution is to buy new hardware and keep its operating system current. There may be complications with it but buying one’s way out of problems is simple.
  
  Alternately, download the isrgrootx1.pem file from Let’s Encrypt, double-click it, and follow OS X’s prompts. That will add the current root certificate to your device that all sites using Let’s Encrypt rely on.
  
  A third option is to switch to using Firefox, which keeps its own list of root certificates instead of using the operating system’s. The problem with this is you can’t use the current version of Firefox because it won’t run on El Capitan, the newest version you can run is Firefox 78.14.0esr.
  
  LikeLiked by 2 people
- 19
  
  hoakley on October 6, 2021 at 9:24 pm
  
  Thank you.
  I also think this might be a good time to re-evaluate the risks that you’re running. Sadly the “simple browser user” went away some years ago. There are a lot of sites out there which are trying to get you, and using tricks and technology which your browser – whichever you use – has no resistance to. Although a modern version of macOS on a modern Mac doesn’t make these go away entirely, it would provide you with much better protection, and most of all automatic updates to address the latest malware which you may come into contact with. It actually makes life a lot simpler, much of the time anyway!
  Howard.
  
  LikeLiked by 1 person
20

paul m white on October 6, 2021 at 5:41 pm

Thanks for the options: I chose Let’s Encrypt download and stumbled through the prompts. Nothing broke but as far as improvement, I have’t noted any.

LikeLiked by 2 people
21

Michael Tsai - Blog - Some Web Sites Will Stop Working With El Capitan and Older on November 12, 2021 at 6:22 pm

[…] Howard Oakley: […]

LikeLike