For some times now, I get following error when I try to download extension using Firefox. I have https-everywhere installed but if I disable it I have the same message.
La connexion n’est pas sécurisée
Les propriétaires de download.virtualbox.org ont mal configuré leur site web. Pour éviter que vos données ne soient dérobées, Firefox ne s’est pas connecté à ce site web.
Ce site a recours à HTTP Strict Transport Security (HSTS) pour indiquer à Firefox de n’établir qu’une connexion sécurisée. Ainsi il n’est pas possible d’ajouter d’exception pour ce certificat.
download.virtualbox.org uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN
What is going on? Why are we getting a spate of reports of people making the same dumb error, i.e. their browser trying to the check the certificate of an intentionally unsecured site?
http://download.virtualbox.org (note this is NOT https) has no certificate to check.
Could anyone reporting this problem in future please mention which browser and version they are using. If you have some kind of optional malware (aka. antivirus) installed to filter web addresses, then please say which.
I have to say that HSTS is new to me. Just reading up on it now. I wonder if this is something that Michael just switched on? Is the problem only affecting recent FireFox?
didierg wrote:I have https-everywhere installed but if I disable it I have the same message.
Please state the exact process that you ended up getting that link. Where did you click, what page, which exact link.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
That actually isn't the download page link, that's just a page describing what the downloads are. The actual downloads come from http://download.virtualbox.org/virtualbox/, and it's the transition from https to http while still inside the virtualbox.org domain that seems to be triggering the HSTS problem.
That's why I asked for the exact link, not a generic one. I need to be able to reproduce this behavior, and I haven't so far. So, unless I see a "click on this link" step-by-step, I still believe there was some sort of intervention, human's or add-on's.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.
This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:
Admin Klaus wrote:
The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.
Another (more brute force way) to fix it for sure, is to locate the "SiteSecurityServiceState.txt" in your Firefox profile. Quit Firefox and remove any "virtualbox.org" references. For the location of your Firefox profile, see: https://security.stackexchange.com/ques ... my-browser
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
mpack wrote:@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.
This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:
Admin Klaus wrote:
The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.