Invalid certificate

[G.F.]

Hi all.
The number of websites unusable with XP is increasing, due to the "invalid
certificate".
1) is there an easy way to install other certificates on XP?.
2) even if the certificate is invalid, the browser offers the option to
continue. What may be the risk of continuing?

GF

[Aoli]

Try MyPal browser.

[Shadow]

Let's Encrypt went bonkers this week.

Download the certificates from

https://letsencrypt.org/certificates/

You'll need ISRG Root X1, ISRG Root X2, Let’s Encrypt R3 and
Let’s Encrypt E1.

Download them using the links (right click, save as).

You can add them to your XP store by double clicking on them.

To add them to Firefox/whatever by go to tools --> options -->
advanced --> certificates --> View Certificates.
Click on import certificate. After you've imported them all,
go to "Internet Security Research Group" and "edit trust". Check they
are trusted for web pages or whatever.
HTH

PS Can't remember which are best for what. *.PEM worked for
Firefox. Can't remember if I used *.PEM or *.DER for XP.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

[G.F.]

"Aoli" <Ao...@Aoli.com> ha scritto nel messaggio
news:sj7fc0$egr$1...@gioia.aioe.org...
>
> Try MyPal browser.

The official website doesn't work because of... invalid certificate. :-)
Majorgeeks doesn't work because of... invalid certificate. :-)
Softpedia doesn't work because of... 404 page not found :-)

I'm at the end of my rope. :-)

GF

[G.F.]

"Shadow" <S...@dow.br> ha scritto nel messaggio
news:99pelg5hhh0o2h4pg...@4ax.com...

> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nos...@grazie.it> wrote:

> Download the certificates from
>
> https://letsencrypt.org/certificates/

I get "Invalid certificate" :-)

[Shadow]

LOL. Allow an "Exception"(assuming Firefox). Then you can open
the certs page. Double clicking on the "*.der" download link will
install the certificate to the browser. Close the browser, open it and
you should be good to go.
As I said, you'll have to right-click and save them if you
want to install to your XP cache.
HTH

[Shadow]

On Fri, 01 Oct 2021 18:57:50 -0300, Shadow <S...@dow.br> wrote:

>On Fri, 1 Oct 2021 22:36:22 +0200, "G.F." <nos...@grazie.it> wrote:
>
>>"Shadow" <S...@dow.br> ha scritto nel messaggio
>>news:99pelg5hhh0o2h4pg...@4ax.com...
>>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nos...@grazie.it> wrote:
>>
>>> Download the certificates from
>>>
>>> https://letsencrypt.org/certificates/
>>
>>I get "Invalid certificate" :-)
>>
>>I'm at the end of my rope. :-)
>>
>>GF

Correction:

>
> LOL. Allow an "Exception"(assuming Firefox). Then you can open
>the certs page. Double clicking on the "*.der" download link will
>install the

certificateS. Just one is not enough.

(You'll need ISRG Root X1, ISRG Root X2, Let’s Encrypt R3 and
Let’s Encrypt E1)

[😉 Good Guy 😉]

On 01/10/2021 15:02, G.F. wrote:

Hi all.
The number of websites unusable with XP is increasing, due to the "invalid 
certificate".
1) is there an easy way to install other certificates on XP?.

How about using some junk operating system? I thought users would pour in all sorts of suggestions especially asking you to use a junk OS. Have they given up in recruiting more suicide bombers?

2) even if the certificate is invalid, the browser offers the option to 
continue. What may be the risk of continuing?

No risk what-so-ever because nothing changes by having a certificate or not having one. are you posting any personal or sensitive info online using a browser? If the answer is no then there is no need to worry. Your banks, stock broker, insurance companies or some other financial institution may not allow you to login at all or web-based emails won't allow you to login but apart from that nothing changes with or without a certificate.

As far as I can see, you are used to nym-shifting so I am surprised you are asking this stupid question here. you should be an expert in these things considering you have been doing this for years.

-- 
Windows-10:	<news://freenews.netfront.net/alt.comp.os.windows-10>
  Windows-8:	<news://freenews.netfront.net/alt.comp.os.windows-8>
  Windows-7:	<news://freenews.netfront.net/alt.windows7.general>
 Windows XP:	<news://freenews.netfront.net/microsoft.public.windowsxp.general>
 Windows-XP:	<news://freenews.netfront.net/microsoft.public.windowsxp.general>
    Firefox:	<news://freenews.netfront.net/alt.comp.software.firefox>
Thunderbird:	<news://freenews.netfront.net/alt.comp.software.thunderbird>

Google Groups:	<https://groups.google.com/g/microsoft.public.windowsxp.general>

[Paul]

This is to give you some idea how hard it will be to
bootstrap. Apparently Firefox has its own certificate store.
But (of course), a modern Firefox, like a Firefox 91 won't
run on Windows XP.

I picked this post, the one at the end right now, to
show there are "hand tools" that are not browsers.

https://borncity.com/win/2021/09/30/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates/

"Ubuntu 16.04 doesnt recognizes at all.
Tried to update the /etc/ssl/certs/ca-certificates.crt but no effect.

The only thing that made it work was to update openssl package and
then update curl pointing to the new openssl (all done by compiling method)
to get the curl to work.

wget still not working as its as pre-compiled with old openssl…
Still wondering if it has something to do with this topic or just a coincidence."

What we'd need then, is a curl which is updated today, and
available on an http (not https) site.

https://curl.se/download.html # Yeah, I know, https

curl version: 7.79.1
Build: 7.79.1
Date: 2021-09-22 # Not today...

https://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== advertised as...

http://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== seems to work...

WGET would be the better tool, because the description reads as this,
but as far as I know, it doesn't have internal certificates.

"wget is a fantastic tool for downloading content and files. It can download files,
web pages, and directories. It contains intelligent routines to traverse links in
web pages and recursively download content across an entire website. It is
unsurpassed as a command-line download manager."

Now CURL is supposed to have certificates, as part of pulling stuff
into its library.

"curl satisfies an altogether different need. Yes, it can retrieve files, but it
cannot recursively navigate a website looking for content to retrieve."

This usage of CURL is silly. Don't do this. The problem would be,
with binary or ISOs or the like. You want something that won't screw up,
if doing big downloads.

cd /d C:\Downloads\CurlDir # Point at the dir with the EXE in it

curl https://www.bbc.com > bbc.html

Whereas this one, puts content into a file. The log should still
be dumped into Command Prompt.

curl -o bbc.html https://www.bbc.com

My WinXP computer broke two days ago (would freeze in memtest).
All the hardware is pulled from the computer case, the case is
just sitting near my shoulder, EMPTY!!! No hardwares. Can't test
diddly now. I'm running off Win7 at the moment, haven't moved
my email over, the usual mess.

Now, we need any emergency OS with Firefox in it, on the
assumption it has certificates. I picked the Lite version,
for lower RAM consumption.

https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso

curl -o zorin153x86.iso https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso

That's around 2GB, so should work in FAT32 for storage, and you
can burn a DVD of that for boot purposes.

I tested in a VM, and that will boot on 512MB, but you can't
start Firefox unless the computer has about 1GB of RAM for "comfort".
Running a LiveDVD, RAM is used for scratch file space, which is
why these things jam up so easily.

I can put that on a USB stick. I used rufus.ie to do a USB stick,
and it offered me a 26GB casper-rw persistent partition. This is
on a 32GB USB stick. This is an EXT partition and not just a loopback
mount as might be more normal (lots of persistent sticks have
just 4GB of storage on a bitmap file sitting on a FAT32 partition,
which is why they have the 4GB limit). This happens to be a Ubuntu at
the moment, and I can see a file stamping the stick as being
made by Rufus.

--- /dev/sde
Block device, size 29.22 GiB (31376707072 bytes)
DOS/MBR partition map
Partition 1: 3.221 GiB (3458359296 bytes, 6754608 sectors from 2048, bootable)
Type 0x0C (Win95 FAT32 (LBA))
SYSLINUX boot loader
FAT32 file system (hints score 4 of 5)
Volume size 3.217 GiB (3454156800 bytes, 210825 clusters of 16 KiB)
Partition 2: 26.00 GiB (27917277696 bytes, 54525933 sectors from 6756656)
Type 0x83 (Linux)
Ext3 file system
Volume name "casper-rw"
UUID 69FD8B2A-C16A-8B42-9C60-6DDC9C4FE0E9 (DCE, v8)
Last mounted at "/"
Volume size 26.00 GiB (27917275136 bytes, 6815741 blocks of 4 KiB)

The USB would be useful, if you've done these before, and your
machine has a USB boot capability. Otherwise, it's a DVD thing.
A DVD won't work on my first PC (1.1GHz Tualatin), and there
I need a CD instead (the BIOS does not grok DVD type as a hardware).

This might not work due to github web code. But if it does, you can
play with using a USB stick instead of a DVD blank.

curl.exe -o rufus315.exe https://github.com/pbatard/rufus/releases/download/v3.15/rufus-3.15p.exe

Once you're booted into Zorin Live Lite, you can follow Shadows suggestions
and look at various web sites for certificate downloads.

I don't know how far you'll get, but that's an idea of
how I'd try to escape the Houdini box you're in.

Paul

[Shadow]

I understand what you did, but it's a bit of an overkill for a
XP-only user.

I just loaded the page(Palemoon - same dialogs as an old
Firefox), got the invalid certificate warning, chose the "exception"
(or whatever it's called)

"Are you sure, you are playing with fire, you naughty person"

I clicked "I LIKE playing with fire"

The page opened, I downloaded the certs (pem, der AND txt -
wasn't sure which ones I needed), then manually installed them both to
XP and the browser.

https://postimg.cc/QVbV07cG

(yes, you need the certs to access Postimg)

Of course, once they were working I checked the fingerprints
at

https://www.grc.com/fingerprints.htm

(that uses a Digicert certificate)

When you allow an exception, for all practical purposes you
are using http ..... which can be tampered with. Best to be sure you
got valid certs.

My wget is v1.19.4, it's the last version that works with XP
and apparently it uses the XP store of certs. It's working fine now.

Incredible how many of my favorite sites broke because of the
Let's Encrypt fsckup. Didn't realize how popular it was.

PS I removed ALL references to Let'sEncrypt in my cert store
before installing the new ones. Didn't want any conflicts.

[Paul]

I provided the info, to show that with some lucky,
you could bootstrap yourself. As long as just
a few developers remember to provide an http: path
to the goods, we'll be OK.

Nobody really has the energy to keep this stuff going forever.
It's too brittle for that.

Paul

[Mayayana]

"G.F." <nos...@grazie.it> wrote

I don't have any problems and I don't remember doing
anything specific. I just visited majorgeeks.com. No
problems. I have FF52.9 and New Moon 28.1. But some
things you might try:

Get New Moon browser.

Set browser.xul.error_pages.expert_bad_cert to true

Set browser.ssl_override_behavior to 1

Risks? In the vast majority of cases a bad cert is likely
to be because it expired. It can also be caused when a
hosted site is using a cert that's not for its own domain.
If you plan to enter a credit card number it matters. If
you're at majorgeeks and you just want to download, then
who cares? You can also usually see in the error page why
the cert was rejected.

[Paul]

On 10/6/2021 6:59 AM, Steve Hayes wrote:
> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nos...@grazie.it> wrote:
>

> In Firefox I get "This site is untrusted", aznd in most cases I can
> override it.
>
> But in Maxthon I get this:
>
> Avast has blocked access to https://share.social9.co/ because one of
> the issuers of the server certificate has expired.
>
> What is causing it, and can anything be done about it?

Is the spelling of this

share.social9.co

correct, or is something missing ?

Paul

[😉 Good Guy 😉]

On 06/10/2021 11:59, Steve Hayes wrote:

What is causing it, and can anything be done about it?

You need to contact the website owner and tell him that he needs to update the certificate. There is nothing you can do about it at your end; Even Jacob Zuma can't do anything about it by pretending he is ill so he doesn't need to spend any time in jail. Why can't somebody bump him off? He keeps saying he was poisoned by the British and Americans but he is still alive.

[pyotr filipivich]

Steve Hayes <haye...@telkomsa.net> on Wed, 06 Oct 2021 12:59:39 +0200
typed in microsoft.public.windowsxp.general the following:

>On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nos...@grazie.it> wrote:
>

>In Firefox I get "This site is untrusted", aznd in most cases I can
>override it.
>
>But in Maxthon I get this:
>
>Avast has blocked access to https://share.social9.co/ because one of
>the issuers of the server certificate has expired.

There was a report of one of the root certificates "expiring" (I
did not know they could do that) which will cause many "trust" issues
after 1 Oct.

>
>What is causing it, and can anything be done about it?

--
pyotr filipivich
This Week's Panel: Us & Them - Eliminating Them.
Next Month's Panel: Having eliminated the old Them(tm)
Selecting who insufficiently Woke(tm) as to serve as the new Them(tm)

[JJ]

I think it's `.com`. Not `.co`. Cause I don't think Colombia domains are
popular enough.

There doesn't seem to be a problem with its certificate when accessed from
XP.

https://www.ssllabs.com/ssltest/analyze.html?d=share.social9.com

[Shadow]

http://share.social9.com redirects to https://shr.social9.com/

Which is a 404.
The site uses a Let's Encrypt R3 cert valid until Nov 15th
2021.
Can't find any references to the site on a Glugle search,
other than it's hosted on an Amacon server.

It's alternative https://9sh.re/shorturl

Has this in the description:

//marketing platform, audience insights, audience intelligence,
audience intel, managed service, social sharing, sharing, website
personalization, personalize website, personalization, share this,
plugins, best free plugins, widgets, best free widgets, best website
plugins, premium plugins, premium widgets, responsive tools,
responsive widgets, share buttons, facebook like, facebook share,
pinterest button, tweet button, twitter button, instagram button,
follow buttons, social buttons, social plugins, recommended content,
content widget, wordpress, joomla, blogger, get likes, get shares, get
followers//

Personally, I wouldn't trust it with or without a valid
certificate.

[Lu Wei]

On 2021-10-1 22:02, G.F. wrote:
> Hi all.
> The number of websites unusable with XP is increasing, due to the "invalid
> certificate".
> 1) is there an easy way to install other certificates on XP?.

Yes, XP can still update to the most recent OS|IE certificates. Try the tool at:
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/page/3/

And use a more recent browser:
https://rtfreesoft.blogspot.com/search/label/serpent

> 2) even if the certificate is invalid, the browser offers the option to
> continue. What may be the risk of continuing?
>

There's possibility of man-in-the-middle attack, trying to steal something from you. No risk if you do not provide personal information or install anything.

--
Regards,
Lu Wei
IM: xmpp:luwe...@riotcat.org
PGP: 0xA12FEF7592CCE1EA

[JJ]

On Sun, 10 Oct 2021 11:40:42 +0800, Lu Wei wrote:
> On 2021-10-1 22:02, G.F. wrote:
>> Hi all.
>> The number of websites unusable with XP is increasing, due to the "invalid
>> certificate".
>> 1) is there an easy way to install other certificates on XP?.
>
> Yes, XP can still update to the most recent OS|IE certificates. Try the tool at:
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/page/3/

The most recent Microsoft's official root certificates and certificate
revocations can be downloaded from below URLs. (long URL warning)

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Extract the contents and double-click the STL files to import them.

Because there's no XP update to support new security chipers, don't use on
internet applications that use Windows built in cryptography libraries. Most
of such applications are available for Windows platform only (i.e. non cross
platform softwares).

[Pamela]

On 03:40 10 Oct 2021, Lu Wei said:
> On 2021-10-1 22:02, G.F. wrote:
>>
>> Hi all.
>> The number of websites unusable with XP is increasing, due to the
>> "invalid certificate".
>> 1) is there an easy way to install other certificates on XP?.
>
> Yes, XP can still update to the most recent OS|IE certificates. Try
> the tool at:
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-cert
> ificates-for-windows-xp/page/3/

Interesting old thread. Is all everything required to be done written on
that page (page three)? I don't have the stamina to go through 38 pages!

> And use a more recent browser:
> https://rtfreesoft.blogspot.com/search/label/serpent

I find MyPal (v.29) runs a bit slowly but is more compatible with sites
than Firefox v.52. Is Serpent better?

[J. P. Gilliver (John)]

On Mon, 24 Jan 2022 at 11:45:51, Pamela
<pamela.priv...@gmail.com> wrote (my responses usually follow
points raised):

>On 03:40 10 Oct 2021, Lu Wei said:
>> On 2021-10-1 22:02, G.F. wrote:
>>>
>>> Hi all.
>>> The number of websites unusable with XP is increasing, due to the
>>> "invalid certificate".
>>> 1) is there an easy way to install other certificates on XP?.
>>
>> Yes, XP can still update to the most recent OS|IE certificates. Try
>> the tool at:
>> https://msfn.org/board/topic/175170-root-certificates-and-revoked-cert
>> ificates-for-windows-xp/page/3/
>
>Interesting old thread. Is all everything required to be done written on
>that page (page three)? I don't have the stamina to go through 38 pages!
>
>> And use a more recent browser:
>> https://rtfreesoft.blogspot.com/search/label/serpent
>
>I find MyPal (v.29) runs a bit slowly but is more compatible with sites
>than Firefox v.52. Is Serpent better?

I don't think its a matter of better or worse, but that Firefox uses its
own certificate store, rather than using XP's store. (Based on a weak
understanding of what I've read here: I'm no longer on XP, and the
Firefox I use is a _very_ old one - I don't know if the one you use -
the latest that works under XP perhaps? - still uses its own store.
Certainly my ancient Firefox keeps asking this question for sites to
which Chrome has no problem.)

>
>>> 2) even if the certificate is invalid, the browser offers the option
>>> to continue. What may be the risk of continuing?
>>>
>>
>> There's possibility of man-in-the-middle attack, trying to steal
>> something from you. No risk if you do not provide personal
>> information or install anything.

It has always struck me as unusual that Firefox's "shall I store this
exception" box (i. e. allowing you to continue to use the site it thinks
has an invalid certificate, without asking every time) is pre-ticked.
Such things usually aren't, erring on the side of safety.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Does God believe in people?