So all of level1s webpages look like this (to my knowledge):
However the “noob to qubes thread” is unverified and unencrypted:
Whats up with that?
Seems to me that parts of the thread aren’t sent over https.
Seems like this img is send via HTTP:
now that I added it you can see the same “error” on this page.
2 Likes
…cool
I never would have noticed this.
Good job OP.
Good job on the diagnosis redgek
This isn’t a real problem? people can add links to images and if the user doesn’t add https it uses http to embed the image.
sometimes the forum will try to convert http to https but it can’t always do that automatically if it can’t verify that https link exactly equals the same content as the http link…
so there is nothing wrong with the level1 stuff… problem exists between keyboard and chair.
Only “fix” would be to block people linking to anything that’s not https… I guess… which doesn’t seem like a good fix
4 Likes
It’s possible it may only become a real “problem” in the future if/when browsers mark mixed content as unsafe. I don’t know if they plan to change it, for now it looks like mixed content is still marked with the info icon not explicitly “not secure”.
I wonder if you could warn them if it’s a http link?
Thankfully I don’t think you can inject crypto miners into images.
its also true http images don’t get access to cookies or javascript context, or anything else anymore, which is nice, when the site is https.
@wendell and I were debugging an issue with the home page not loading in chrome due to chunked encoding issues. It seems the last change he made before signing off was to bypass CloudFlare, which means the wrong certificate is now in use. Nothing to worry about, I am sure he will have it fixed quick smart when he returns 
4 Likes
Hey awesome dudes!
I think this may not be quite solved yet. It looks like if I browse straight to www.level1techs.com I actually get an mismatched hostname error (edited) with the non-expired cert from letsencrypt, while if I go to level1techs.com I get a valid hostname cert from the same letsencrypt CA. Looks like it’s actually the same cert for level1techs.com without the www subdomain:
Here is the curl for the www hostname (with a dig to just sanity check dns)
https://s3.us-east-2.amazonaws.com/z386-useastoh/curl_www.png
and here is the curl for non www hostname (also with a sanity dig dns lookup)
https://s3.us-east-2.amazonaws.com/z386-useastoh/non_www_curl.png
(edited. wendell pointed out correctly that the cert that is erroring isn’t expired, it looks like it’s just a mismatch hostname)
Your screenshots shows both expiration date Re may 2019?
I also still receive an error regarding to this.
But in my case only wenn i logout from the forum,
and getting redirected back to the homepage, then i get the error.
I suppose cloudflare being wonky again?
My mistake. I think I found what’s actually causing the invalid cert error for www.level1techs.com.
If you look here:
Looks like the cert that is being used for www.level1techs.com has a CN=level1techs.com Since these aren’t the exact same hostname, we are getting a cert mismatch error specifically for www.level1techs.com. It’s not a wildcart ssl cert so it’ll cause a mismatch hostname on anything that doesn’t match the tld, domain, and subdomain I believe.
I don’t think it’s cloudflare for the homepage. level1techs and www both resolve ip addresses in dns that point at linode. If homepage cert error was cloudflare related, I would expect dns for those sites would point at cloudflare as well.
I guess that @wendell will probably take a look at it again.
I only encounter the issue wenn i get redirected back to the homepage after logout.
1 Like
I was able to easily reproduce this by just logging out of the forums. From the logout it looks like the app sends a redirect to the www https site for level1techs, which then is met with an ssl hostname mismatch error.
1 Like
Always tries to connect me to the www. site, unless I specifically type the address without it or click the link on the error page.
Maybe that shouldn’t even exist, or should redirect?
1 Like
imho this could be solved a few different ways… If you don’t mind me throwing in my .02 cents:
1 - use a wildcart cert for everything with the level1techs dot com domain (which could be costly…)
2- generate letsencrypt certs for the hostnames used for level1techs, including www subdomains (kind of PITA to manage multiple certs)
3 - redirect all requests for www hostname to the non-www site. (Could break things in the application if it’s expecting www hostnames).
#3 is already in place, but the SAN has to be in place for it to not error for some (but not all, interestingly) browsers.
2 Likes