virtualbox.org

For some times now, I get following error when I try to download extension using Firefox. I have https-everywhere installed but if I disable it I have the same message.

La connexion n’est pas sécurisée
Les propriétaires de download.virtualbox.org ont mal configuré leur site web. Pour éviter que vos données ne soient dérobées, Firefox ne s’est pas connecté à ce site web.
Ce site a recours à HTTP Strict Transport Security (HSTS) pour indiquer à Firefox de n’établir qu’une connexion sécurisée. Ainsi il n’est pas possible d’ajouter d’exception pour ce certificat.

download.virtualbox.org uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN

What is going on? Why are we getting a spate of reports of people making the same dumb error, i.e. their browser trying to the check the certificate of an intentionally unsecured site?

http://download.virtualbox.org (note this is NOT https) has no certificate to check.

Could anyone reporting this problem in future please mention which browser and version they are using. If you have some kind of optional malware (aka. antivirus) installed to filter web addresses, then please say which.

I have to say that HSTS is new to me. Just reading up on it now. I wonder if this is something that Michael just switched on? Is the problem only affecting recent FireFox?

I think I'll have to mention this to the admins.

didierg wrote:I have https-everywhere installed but if I disable it I have the same message.

Please state the exact process that you ended up getting that link. Where did you click, what page, which exact link.

Haven't had any problems with the VirtualBox Site or with downloads, but for reference the addresses shown in Safari (MacOS) are:

VirtualBox Home Page: https://www.virtualbox.org

Menu Links:

Screenshots: https://www.virtualbox.org/wiki/Screenshots
Download Page Link: https://www.virtualbox.org/wiki/Downloads
etc.

That actually isn't the download page link, that's just a page describing what the downloads are. The actual downloads come from http://download.virtualbox.org/virtualbox/, and it's the transition from https to http while still inside the virtualbox.org domain that seems to be triggering the HSTS problem.

What does your Firefox show in 'about:config' for 'security.mixed_content.use_hsts''?
Here it shows the default = 'false'

That's why I asked for the exact link, not a generic one. I need to be able to reproduce this behavior, and I haven't so far. So, unless I see a "click on this link" step-by-step, I still believe there was some sort of intervention, human's or add-on's.

@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.

This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:

Admin Klaus wrote: The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.

Another (more brute force way) to fix it for sure, is to locate the "SiteSecurityServiceState.txt" in your Firefox profile. Quit Firefox and remove any "virtualbox.org" references. For the location of your Firefox profile, see: https://security.stackexchange.com/ques ... my-browser

I get this error when on page https://www.virtualbox.org/wiki/Downloads i click on link

VirtualBox 5.2.4 Oracle VM VirtualBox Extension Pack All supported platforms

I use firefox-57.0.1-2.fc27.x86_64 with HTTPS Everywhere extension 2017.12.6 disabled.

mpack wrote:@didierg: The admins have confirmed that there is a configuration error on the main virtualbox.org page, which tells your browser that all sub domains should be secure as well.

This error has now been fixed, unfortunately your browser may have cached the incorrect configuration. According to admin Klaus the fix for that should be:

Admin Klaus wrote: The theoretical fix is to ask all people running into this issue to start again at https://virtualbox.org/ - that should (if I and the browser implementors read the spec the same way) update the cached information correctly, removing the "entire domain can do https" flag.

It works !

Thanks for your support.

Great, thanks for confirming.