Jump to content
You are about to reply to a thread that has been inactive for 127 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Posted (edited)

Cannot log into the forums on firefox. When attempting to view the login page:

Quote

Secure Connection Failed

An error occurred during a connection to auth.tilia-inc.com. Peer’s Certificate has been revoked.

Error code: SEC_ERROR_REVOKED_CERTIFICATE

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

This was after having logged in to secondlife.com, so probably related to the new(ish) one-logon system. 

error happens on an intermediate redirect page auth.tillia-inc.com/authorize?... further research sugests the problem might have something to do with OCSP?

Edited by Quistess Alpha
Posted

That's weird, if the Forums use a cert associated with Tillia..

Also, why just Firefox? Does it use different security protocols than "Chromium-based" browsers? That would make sense..

 

Posted
Just now, Love Zhaoying said:

Also, why just Firefox? Does it use different security protocols than "Chromium-based" browsers? That would make sense..

 

as I said in my edit, I suspect it's because on firefox I logged into secondlife.com first, then the forums, but I'm here on chromium, without logging in there first.  clearing cookies doesn't seem to do anything, so yeah, maybe just a browser/plugins difference?

  • Quistess Alpha changed the title to IMPORTANT - TILLIA CERTIFICATE (TLS?) REVOKED!?
Posted

18qJRyF.png

Chrome is telling me that.   I'm so confused,  firefox goes "no"  the cert checker I use say's yes...  chrome say's yes...     somebody else posted it's revoked.   scratching my head here.

Posted
11 hours ago, bigmoe Whitfield said:

I'm so confused,

Certificate revocation works by putting a certificate on a public blacklist. Some browsers check the blacklist. Some don't. It's an option in Firefox. Under Firefox Settings, see

Certificates
    Query OCSP responder servers to confirm the current validity of certificates

If that setting is turned on for Firefox, and you try https://auth.tilia-inc.com/  you get

Secure Connection Failed

An error occurred during a connection to auth.tilia-inc.com. Peer’s Certificate has been revoked.

Error code: SEC_ERROR_REVOKED_CERTIFICATE

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

 

So that's what it looks like in a browser with revocation checking turned on.

(This has been broken for several days now. Linden Lab is now in the position of merely being a customer of Thunes, and doesn't control the systems involved. Maybe all LL can do is file a support ticket. There are many players involved: Tilia, Thunes, CSC Corporate Domains, DigiCert, and Linden Lab's legal department, who is still the official contact point for this domain. )

Posted
2 minutes ago, animats said:

Certificate revocation works by putting a certificate on a public blacklist. Some browsers check the blacklist. Some don't. It's an option in Firefox. Under Firefox Settings, see

Certificates
    Query OCSP responder servers to confirm the current validity of certificates

If that setting is turned on for Firefox, and you try https://auth.tilia-inc.com/  you get

Secure Connection Failed

An error occurred during a connection to auth.tilia-inc.com. Peer’s Certificate has been revoked.

Error code: SEC_ERROR_REVOKED_CERTIFICATE

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

 

So that's what it looks like in a browser with revocation checking turned on.

(This has been broken for several days now. Linden Lab is now in the position of merely being a customer of Thunes, and doesn't control the systems involved. Maybe all LL can do is file a support ticket. There are many players involved: Tilia, Thunes, CSC Corporate Domains, DigiCert, and Linden Lab's legal department, who is still the official contact point for this domain. )

Can mischief-makers purposefully get a cert blacklisted?

  • Like 1
Posted
3 hours ago, Quistess Alpha said:

Seems it's been fixed; took long enough. . .

Yes. A new certificate for "*.tilia-inc.com" was generated Tue, 06 Aug 2024 18:40:19 GMT. Valid until Tue, 21 Jan 2025 23:59:59 GMT.

  • Thanks 3
Posted
On 8/6/2024 at 7:19 PM, Love Zhaoying said:

Can mischief-makers purposefully get a cert blacklisted?

Not easily. You would need to find a misbehaviour that leads to the certificate being blacklisted due to the CAs policy.

But you can rather easily Denial-of-Service the OCSP responder (see https://www.imperialviolet.org/2014/04/19/revchecking.html ).

Thats a reason OCSP stapling was invented. And another reason that browser are planning to remove mandatory OCSP support (in addition to the privacy issues with OCSP).

See for example:

https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html

  • Thanks 1
You are about to reply to a thread that has been inactive for 127 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...