Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Site certificate - AuctionSniper.com

9 views
Skip to first unread message

John H Meyers

unread,
Dec 8, 2007, 8:05:53 AM12/8/07
to
Neither Firefox 2.0.0.11 nor Opera 9.24(8816) on Windows XP/SP2 (32-bit)
can verify the certificate signature for the secure login page
https://www.auctionsniper.com/securelogin.aspx

The certificate appears to be current, signed by:
"VeriSign Class 3 Secure Server CA"

Internet Explorer verifies the above,
also referring to the next higher in chain:
"VeriSign Class 3 Public Primary CA"

Neither Firefox nor Opera seem to have either exact name
in their built-in certificate stores,
but Windows (and thus IE) has the first of the above
in its "Intermediate Certification Authorities,"
and thus validates the site.

Firefox seems to have more Verisign certificates than Opera
(though not the above), and more CAs in general
are represented in Firefox (evidently also in IE).

Is there a reason why Opera doesn't include these?
(I guess I'll have to ask elsewhere re Firefox).

Is there a possibility to look in Operating System certificate stores
for additional "root" or "intermediate" or "trusted" certificates?

Thanks.

--

Carl Hansen

unread,
Dec 8, 2007, 8:45:10 PM12/8/07
to

I'll add my support to this question. The relative paucity of
certificates in Opera is getting to be a pia. I click through the same
myriad of certificate dialogs for the same sites every day. A lot of site
owners apparently are not bothering to register with Opera either because
the process is cumbersome or the market exposure of the browser is not
enough to make it worth it. Opera should do something to offset whatever
is discouraging site owners. The current situation is discouraging users
instead. Hope someone there is reading this.


John H Meyers

unread,
Dec 10, 2007, 3:05:11 AM12/10/07
to
On Sat, 08 Dec 2007 19:45:10 -0600, Carl Hansen wrote:

> A lot of site owners apparently are not bothering to register with Opera

Thanks for agreeing on the observations.

The site owners' registration, however,
is with third-party certificate issuers (such as VeriSign),
who are either recognized as "primary" CAs
or whose certificates are in turn signed by them,
and browsers simply include the public-key "root" certificates
of those "trusted" CAs in their browsers, as means to verify the signatures.

It's possible for a CA to be deliberately omitted by a browser,
if the vendor believes that they are untrustworthy,
but I am not aware whether any such reasons or specific omissions
have been discussed before, nor why IE (Windows) shows a different class
of "intermediate" CAs, which is not explicit (or may not be included)
in Firefox or Opera.

It it's a genuine matter of trustworthiness,
and if the number of included "root" certificates
varies inversely with the care in screening by the browser vendor,
then perhaps IE is lax, Firefox is careful,
but only Opera is really keeping the most criminals at bay,
although sometimes at the expense of excluding your bank or broker :)

--

Carl Hansen

unread,
Dec 10, 2007, 11:57:22 AM12/10/07
to
> The site owners' registration, however,
> is with third-party certificate issuers (such as VeriSign),

OK, so stated more accurately the issue is the big difference in the
number of CAs accepted by or included with a browser. Opera 9.24 lists
six CAs, Firefox 2.0.0.7 lists 49. I didn't count IE. Examples of CAs
found in Firefox but not found in Opera include DigiCert, Digital
Signature Trust, GlobalSign, RSA Data Security, Thawte, and so on. That
is quite a large difference. If Firefox is being careful and lists 49,
Opera with 6 is what? One can say that they are keeping criminals at bay,
but as a practical matter having so few CAs effectively tells the user,
"you decide", we are opting out of this. If that is the plan, some sort
of whitelist of sites trusted and frequently visited would make life
easier. Maybe the Install button in the certificate dialog once did this
but I have never seen it other than deactivated.

David W. Hodgins

unread,
Dec 10, 2007, 12:10:15 PM12/10/07
to
On Mon, 10 Dec 2007 11:57:22 -0500, Carl Hansen <ciph...@sonic.net> wrote:

> OK, so stated more accurately the issue is the big difference in the
> number of CAs accepted by or included with a browser. Opera 9.24 lists
> six CAs, Firefox 2.0.0.7 lists 49. I didn't count IE. Examples of CAs

I'm using 9.50, build 1709, under linux, so my results may differ from
yours.

In Tools/Preferences/Advanced/Security, Manage Certificates...,
on the Authorities tab, Opera has over 50 certificates listed, with
another 5 on the Intermediate Authorities tab.

I'm not sure if the certificates will be updated, but try selecting
Help/Check for Updates, and see if that will get the latest root
certificates.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Richard Grevers

unread,
Dec 10, 2007, 12:45:39 PM12/10/07
to

Um, My clean install of Opera 9.24 on Windows (2k) has 72 Authorities.
Either something went wrong with your installation or something/somebody
managed to delete a bunch of them.


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Carl Hansen

unread,
Dec 10, 2007, 1:49:52 PM12/10/07
to
On Mon, 10 Dec 2007 09:10:15 -0800, David W. Hodgins
<dwho...@nomail.afraid.org> wrote:

> On Mon, 10 Dec 2007 11:57:22 -0500, Carl Hansen <ciph...@sonic.net>
> wrote:
>
>> OK, so stated more accurately the issue is the big difference in the
>> number of CAs accepted by or included with a browser. Opera 9.24 lists
>> six CAs, Firefox 2.0.0.7 lists 49. I didn't count IE. Examples of CAs
>
> I'm using 9.50, build 1709, under linux, so my results may differ from
> yours.
>
> In Tools/Preferences/Advanced/Security, Manage Certificates...,
> on the Authorities tab, Opera has over 50 certificates listed, with
> another 5 on the Intermediate Authorities tab.
>
> I'm not sure if the certificates will be updated, but try selecting
> Help/Check for Updates, and see if that will get the latest root
> certificates.

Download 9.24 (XP) build 8816, tried Repair first, same 6 CAs
Remove Opera. Install. Same 6 CAs.

Solution: delete opcacrt6.dat and opcert6.dat, reinstall

Thanks for your help.

Yngve Nysaeter Pettersen (Developer, Opera Software A/S)

unread,
Dec 10, 2007, 5:39:09 PM12/10/07
to
On Sat, 08 Dec 2007 07:05:53 -0600, "John H Meyers" <jhme...@nomail.invalid>
wrote:

>Neither Firefox 2.0.0.11 nor Opera 9.24(8816) on Windows XP/SP2 (32-bit)


>can verify the certificate signature for the secure login page
>https://www.auctionsniper.com/securelogin.aspx
>
>The certificate appears to be current, signed by:
>"VeriSign Class 3 Secure Server CA"

>Is there a reason why Opera doesn't include these?


>(I guess I'll have to ask elsewhere re Firefox).

The "VeriSign Class 3 Secure Server CA" certificate is an intermediate CA
certificate that the website is *required* by the SSL/TLS specification to send.
The client is not even expected to store them, because they change often.

This is a server configuration issue, and it looks like the above mentioned site
has fixed the problem.

What IE do, and what Opera 9.50 beta also do, is to download such intermediate
certificates from a location named in the site certificate in an attempt to
connect it to a known root. When successful, the intermediates are then cached
for future use.

John H Meyers

unread,
Dec 10, 2007, 8:42:04 PM12/10/07
to
On Mon, 10 Dec 2007 16:39:09 -0600, Yngve Nysaeter Pettersen wrote:

> The "VeriSign Class 3 Secure Server CA" certificate is an intermediate CA
> certificate that the website is *required* by the SSL/TLS specification to send.
> The client is not even expected to store them, because they change often.
>
> This is a server configuration issue, and it looks like the above mentioned site
> has fixed the problem.

https://www.auctionsniper.com/securelogin.aspx

I still can not verify it at this moment, using 9.24(8816,Win32,XP),
but Firefox reports the same problem, and suggests either
"not recognizing issuing CA" or "server misconfiguration"
as possibilities (while IE has the "intermediate" cert, and is happy).

Just before trying this, I had closed Opera, removed my own
opcert6.dat and opcacrt6.dat files, and re-installed 9.24
(which re-created those files), just for the heck of it :)

Have you time to mention what sort of misconfiguration
might be involved, unless too off-topic, which still satisfies IE
(and Opera 9.50, as below) anyway?

> What IE do, and what Opera 9.50 beta also do, is to download such intermediate
> certificates from a location named in the site certificate in an attempt to
> connect it to a known root. When successful, the intermediates are then cached
> for future use.

Well that's nice; it will eventually do what IE is doing now
(while FF also still is not, and thus FF will "fall behind").

Thanks!

--

John H Meyers

unread,
Dec 10, 2007, 9:21:09 PM12/10/07
to
On Mon, 10 Dec 2007 19:42:04 -0600, I wrote:

> I still can not verify it at this moment...
> but Firefox reports the same problem,...

Update:

At this hour of the day,
*both* Opera and FF are equally happy with that same site:
https://www.auctionsniper.com/securelogin.aspx

Is there a possibility that some other network issue is involved,
such as a problem at VeriSign, rather than at this site in particular?

It seems a bit mysterious how the problem comes and goes,
at various times of day.

Thanks.

--

Yngve Nysaeter Pettersen (Developer, Opera Software A/S)

unread,
Dec 11, 2007, 5:48:49 PM12/11/07
to
On Mon, 10 Dec 2007 20:21:09 -0600, "John H Meyers" <jhme...@nomail.invalid>
wrote:

>On Mon, 10 Dec 2007 19:42:04 -0600, I wrote:

Actually, I think they are running multiple servers, and they installed the
certificate properly on at least one of them, but not on the rest of them.

[off to check a few details .....]

Ok, The server on 209.142.29.168 is not configured properly (the intermediate
certificate they got in the package from Versign is not installed), while the
ones on 209.142.29.165 and 209.142.29.162 are correctly configured. That means
that you have 1/3 chance to encounter the incorrectly configured server.

John H Meyers

unread,
Dec 12, 2007, 4:44:10 PM12/12/07
to
On Tue, 11 Dec 2007 16:48:49 -0600,
Yngve Nysaeter Pettersen (Developer, Opera Software A/S) wrote:

JHM:

>> On Mon, 10 Dec 2007 19:42:04 -0600, I wrote:
>>
>>> I still can not verify it at this moment...
>>> but Firefox reports the same problem,...
>>
>> Update:
>>
>> At this hour of the day,
>> *both* Opera and FF are equally happy with that same site:
>> https://www.auctionsniper.com/securelogin.aspx
>>
>> Is there a possibility that some other network issue is involved,
>> such as a problem at VeriSign, rather than at this site in particular?
>>
>> It seems a bit mysterious how the problem comes and goes,
>> at various times of day.

YNP:

> Actually, I think they are running multiple servers, and they installed the
> certificate properly on at least one of them, but not on the rest of them.
>
> [off to check a few details .....]
>
> Ok, The server on 209.142.29.168 is not configured properly (the intermediate
> certificate they got in the package from Versign is not installed), while the
> ones on 209.142.29.165 and 209.142.29.162 are correctly configured. That means
> that you have 1/3 chance to encounter the incorrectly configured server.

Thanks for your kind efforts; I'll try to give that company the benefit
of your analysis, by referring them to this thread.

--

0 new messages