Invalid certificate at Xstreet SL forums

Anyone else getting invalid certificate warnings when trying to access the forums at Xstreet SL?

My browser goes through a exception granting process involving a message that says "Legitimate banks, stores, and other public sites will not ask you to do this."

Not the best welcome for first time users.

Nope not getting that. What browser are you using?

Flock 2, which is based on Firefox 3.

I might have turned up some security setting by mistake, but, I suspect this might have something to do with certificates actually being for slexchange not being updated to xstreet.

It doesn't really matter if it is invalid, look at the url in your address bar, is it xstreetsl's url? Thats enough verification right there

There are two uses for those certificates:

1: prove the website is not just some fake scam site. Fortunatly you already know this becuase you know the url should be www.xstreetsl.com

2: Encrypt your connection over https. Again fortunatly it does not need to be a valid citificute to do this.


So don't worry, you are safe.

I got that once. The bios of my computer had somehow turned it's date to January 2003 or something like that. Gave me all sorts of certificate errors with several websites. Changing the date fixed it for me.

Rubbish. There are DNS attacks that can intercept the mapping of the domain name (xtreetsl.com in this case) and make it appear you've accessed the intended web server when you haven't. The URL is not enough verification if you're doing anything involving money or sensitive items.

Anyone can get a certificate. The certificate won't prove it's not a scam. (But look at extended validation certificates, which produce a green bar in Firefox and IE7, and which will provide more security against scams.)

Interesting I got one of those recently not sure where I use mozilla.
I never understood what they are.
Or what unsafe site is when my computer tells me I can't access a site because it is unsafe.
Certificates I tend to ignore but I wouldn't do money transactions with one nor one that isn't https.

Flock 2 here and works fine for me.

A certificate is essentially a public key along with some identifying information, all of which has been signed, usually by a third party. How do you know the signature is valid? You use the public key of the third party. How did you get the third party's public key? From their certificate. How far does this process go? It can go very deep, but usually no more than two or three. How does this process end? A handful of third party public keys are built into the popular web browsers (and other products that use SSL) - which is why you need to make sure you only get your browsers from secure sites or from reliable CDs.

Anybody can create a public key/private key pair. Anybody can create a certificate and sign it with their own private key, hence the term "self-signed certificate". This certificate can be used for SLL encryption (i.e., https), but doesn't tell you anything securely reliable about the person at the other end. Hence you'll get a warning for those. Don't use these for anything of value unless you have some other verification of the person at the other end and of the certificate.

Since anyone can create this, it's possible for one person to create two or more such pairs, two or more certificates, and set up their own signature chain. Instead of producing a "self-signed" warning, this will produce an "unrecognized signature authority" warning. The same caveat about using these applies.

Certificates have start and end dates, hence warnings about expired certificates. If they're only a day or two out of date, I'll usually accept them - but they strongly erode my confidence in the owner's ability to manage their own security. If they're quite out of date, I'll complain and avoid using it unless I have some other compelling reason.

Certificates are assigned to specific URL patterns. If you get a certificate from a site that doesn't match the URL you used, it could be that the owner didn't configure the certificate correctly when they bought it, or that they didn't configure their web site correctly. If you get a warning that says "the certificate belongs to www.example.com but the domain is example.com", the best thing to do is to reenter the site using the 'www.' (and complain - modern sites should no longer require the www. prefix). Other warnings about mismatches really need to be handled on a case by case basis. If it involves money, I wouldn't use it without independent validation. This sometimes happens at e-commerce sites running on a shoe-string budget, so it may be ok, but it's also the easiest way to scam using SSL certificates.

I'm a big fan of using 800 numbers to complain about web site insecurities. It costs the owner money to handle the 800 call, and encourages them to put more up front effort into keeping their web site secure.

Thanks Kidd, I've was always curious about why it happens and what it is the whole certificate thing but I don't use search well for some odd reason I always find stuff not relating to the search I want to find.

The Xstreet cert is not one of the self-signed ones the exception thing is supposed to catch, and it does have the right list of DNS alternates. One thing I notice is that Virtuatrade got a fresh certificate in September, could there have been an older one cached locally?

Another thing I notice sometimes is that Google results for Xstreet forums will point to a Virtuatrade IP address instead of the hostname. That might trip up the FF certificate checker, could that one apply here?