[Solved] download.virtualbox.org uses an invalid security certificate

This is for discussing general topics about how to use VirtualBox.
Post Reply
didierg
Posts: 34
Joined: 1. Apr 2008, 02:12
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Fedora & Windows

[Solved] download.virtualbox.org uses an invalid security certificate

Post by didierg »

For some times now, I get following error when I try to download extension using Firefox. I have https-everywhere installed but if I disable it I have the same message.
La connexion n’est pas sécurisée
Les propriétaires de download.virtualbox.org ont mal configuré leur site web. Pour éviter que vos données ne soient dérobées, Firefox ne s’est pas connecté à ce site web.
Ce site a recours à HTTP Strict Transport Security (HSTS) pour indiquer à Firefox de n’établir qu’une connexion sécurisée. Ainsi il n’est pas possible d’ajouter d’exception pour ce certificat.
download.virtualbox.org uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: download.virtualbox.org uses an invalid security certificate

Post by mpack »

What is going on? Why are we getting a spate of reports of people making the same dumb error, i.e. their browser trying to the check the certificate of an intentionally unsecured site?

http://download.virtualbox.org (note this is NOT https) has no certificate to check.

Could anyone reporting this problem in future please mention which browser and version they are using. If you have some kind of optional malware (aka. antivirus) installed to filter web addresses, then please say which.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: download.virtualbox.org uses an invalid security certificate

Post by mpack »

I have to say that HSTS is new to me. Just reading up on it now. I wonder if this is something that Michael just switched on? Is the problem only affecting recent FireFox?

I think I'll have to mention this to the admins.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: download.virtualbox.org uses an invalid security certificate

Post by socratis »

didierg wrote:I have https-everywhere installed but if I disable it I have the same message.
Please state the exact process that you ended up getting that link. Where did you click, what page, which exact link.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
erdeslawe
Volunteer
Posts: 241
Joined: 8. Jul 2015, 10:23

Re: download.virtualbox.org uses an invalid security certificate

Post by erdeslawe »

Haven't had any problems with the VirtualBox Site or with downloads, but for reference the addresses shown in Safari (MacOS) are:

VirtualBox Home Page: https://www.virtualbox.org

Menu Links:

Screenshots: https://www.virtualbox.org/wiki/Screenshots
Download Page Link: https://www.virtualbox.org/wiki/Downloads
etc.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: download.virtualbox.org uses an invalid security certificate

Post by mpack »

That actually isn't the download page link, that's just a page describing what the downloads are. The actual downloads come from http://download.virtualbox.org/virtualbox/, and it's the transition from https to http while still inside the virtualbox.org domain that seems to be triggering the HSTS problem.
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: download.virtualbox.org uses an invalid security certificate

Post by Martin »

What does your Firefox show in 'about:config' for 'security.mixed_content.use_hsts''?
Here it shows the default = 'false'
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: download.virtualbox.org uses an invalid security certificate

Post by socratis »

That's why I asked for the exact link, not a generic one. I need to be able to reproduce this behavior, and I haven't so far. So, unless I see a "click on this link" step-by-step, I still believe there was some sort of intervention, human's or add-on's.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: download.virtualbox.org uses an invalid security certificate

Post by mpack »

@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.

This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:
Admin Klaus wrote: The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: download.virtualbox.org uses an invalid security certificate

Post by socratis »

Another (more brute force way) to fix it for sure, is to locate the "SiteSecurityServiceState.txt" in your Firefox profile. Quit Firefox and remove any "virtualbox.org" references. For the location of your Firefox profile, see: https://security.stackexchange.com/ques ... my-browser
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
didierg
Posts: 34
Joined: 1. Apr 2008, 02:12
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Fedora & Windows

Re: download.virtualbox.org uses an invalid security certificate

Post by didierg »

I get this error when on page https://www.virtualbox.org/wiki/Downloads i click on link

VirtualBox 5.2.4 Oracle VM VirtualBox Extension Pack All supported platforms

I use firefox-57.0.1-2.fc27.x86_64 with HTTPS Everywhere extension 2017.12.6 disabled.
didierg
Posts: 34
Joined: 1. Apr 2008, 02:12
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Fedora & Windows

Re: download.virtualbox.org uses an invalid security certificate

Post by didierg »

mpack wrote:@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.

This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:
Admin Klaus wrote: The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.
It works !

Thanks for your support.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: download.virtualbox.org uses an invalid security certificate

Post by mpack »

Great, thanks for confirming.
Post Reply