Webshield invalid certificate for cloudflare site

system · 2015-10-09T23:32:20.000Z

Hi, I have been using cloudflare and avast for a very long time and didnt had a problem until today when I and some users from my site who use avast got this error

http://prntscr.com/8pndb1

Please check as I will regret if I need to uninstall avast or to recommend my users to do that as I believe avast is the best antivirus on this days.

Thank you.

polonus · 2015-10-10T00:31:28.000Z

Hi freyre,

Well that particular certificate had expired and all others will expire in 7 days.
Re: https://www.fairssl.se/en/ssltest for cloudflaressl.com
See also: http://toolbar.netcraft.com/site_report?url=http://sni112500.cloudflaressl.com
Now unable to contact that server.
With the certificate see here a a typical error replacement certificate after it has expired, rather than before.

Signature Algorithm: SHA1+RSA is weak and there are University researcher proposals to slowly phase this out,
because now at a cost that stands at $ 75.000 the algorithm can be hacked
(coming into reach for cybercriminals to abuse this for specific targeted attacks).

So when Cloudflare wants you for a cheap ride saving on the penny to earn a pound,
you should be glad you are made aware of that fact now.
Big Corporational “Scrooge” mentality backfiring here.

Secure Cookie Warning: Secure cookies: Warning
Requested URL: https://cloudflaressl.com/ | Response URL: https://cloudflaressl.com/ | Page title: CloudFlare API 4 Documentation | HTTP status code: 200 (OK) | Response size: 1,687,808 bytes (gzip’d) | Duration: 12,058 ms
Overview
Cookies served over HTTPS but not flagged as “secure” may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it’s on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack.

Result
It looks like a cookie is being served over HTTPS without the “secure” flag being set (name : value):

__cfduid : dd54943700b9995d5503cb0fbdccd17e01444436977
Unless the cookie needs to be sent over an insecure connection, the “secure” flag should always be set to ensure it can only be sent with an HTTPS request.

polonus (volunteer website security analist and website error-hunter0

polonus · 2015-10-10T13:04:11.000Z

There must be something not right with that certificate as I could not even check on it here: https://certificate.revocationcheck.com/sni112500.cloudflaressl.com
No match for “SNI112500.CLOUDFLARESSL.COM”.
It is a Global Sign verified certificate and even they are unable to resolve the domain name “Unable to resolve domain name” →
https://globalsign.ssllabs.com/analyze.html?d=sni112500.cloudflaressl.com

So probably you are barking up the wrong tree and should ask either cloudflare or GlobalSign why that certificate is being flagged.

polonus

Milos · 2015-10-13T07:34:09.000Z

freyre post:1:

Hi, I have been using cloudflare and avast for a very long time and didnt had a problem until today when I and some users from my site who use avast got this error

http://prntscr.com/8pndb1

Please check as I will regret if I need to uninstall avast or to recommend my users to do that as I believe avast is the best antivirus on this days.

Thank you.

Hello freyre,
do you use Win XP? This system sometimes cannot handle new certificates because they use new standards. We are working on our own authentication without using Windows API (maybe in v.2016 R2 or R3). If you don’t want to see this message disable https scanning in settings.

Milos

system · 2015-10-26T20:06:07.000Z

Hi Polonus.

These are the rest of the directions, based on Milos’ instruction:

Left click on the avast! icon in your system tray.
Click on Open Avast user interface.
At the bottom of the new menu, click on Settings.
At the top of the new menu, click on Active Protection.
In the Active Protection window, go down to the “Web Shield” line and click on Customize, which opens the Web Shield Settings / Main Settings window.

Uncheck “Enable HTTPS scanning” and close and exit out of the bloated avast! interface.

Firefox has an add-on called Calomel SSL Validation, which will give you a summary and “security grade” for the webpage that you’re viewing. The one that avast! was blocking until I disabled the HTTPS Scanning is rated by Calomel “93%,” which is pretty high, and says they’re using TLS 1.2, which is the most modern security available for webpages (or something like that, see https://en.wikipedia.org/wiki/Transport_Layer_Security).

So, avast! was blocking a webpage even though it had the latest security. Milos says it was XP’s fault for being too old to read modern certificates. If that’s the case, then I suppose all antivirus programs will have the same problem on our XP machines when they see these new certificates.

In summary, Polonus, I hope you and I are both looking at strategies for updating our computers to a modern OS. Recommend checking out http://distrowatch.com/dwres.php?resource=major and http://distrowatch.com/

For upgrading our computers, the most important thing is backing up our data files in one or two places. And take a screen shot or write down the list of all the programs you have installed on XP. Then when you get a new operating system, you will have all your data files, and you can re-install the programs that you had on XP, or close approximations thereof. And program licenses will also need to be backed up. Firefox bookmarks, at least, should be backed up and exported to a file.

I know you never said you have Firefox, but I like saying its name.

If you’re rich, you can always get a new computer, and keep the old computer running until you’re sure you’ve gotten all the data and information off of it that you’ll need. At that point, I would say that AMD and core-2-duo-and-older computers should be electronics-recycled. i3, i5, and i7 computers should be shined up, brought flowers, and allowed at the dinner table and under the bed covers.

Best luck.

Thanks to Milos for pointing out the offending checkbox. Google went right to him.

bigwilly_312000 · 2015-10-26T20:59:04.000Z

nei1 post:5:

Hi Polonus.

These are the rest of the directions, based on Milos’ instruction:

Left click on the avast! icon in your system tray.
Click on Open Avast user interface.
At the bottom of the new menu, click on Settings.
At the top of the new menu, click on Active Protection.
In the Active Protection window, go down to the “Web Shield” line and click on Customize, which opens the Web Shield Settings / Main Settings window.

Uncheck “Enable HTTPS scanning” and close and exit out of the bloated avast! interface.

Firefox has an add-on called Calomel SSL Validation, which will give you a summary and “security grade” for the webpage that you’re viewing. The one that avast! was blocking until I disabled the HTTPS Scanning is rated by Calomel “93%,” which is pretty high, and says they’re using TLS 1.2, which is the most modern security available for webpages (or something like that, see https://en.wikipedia.org/wiki/Transport_Layer_Security).

So, avast! was blocking a webpage even though it had the latest security. Milos says it was XP’s fault for being too old to read modern certificates. If that’s the case, then I suppose all antivirus programs will have the same problem on our XP machines when they see these new certificates.

In summary, Polonus, I hope you and I are both looking at strategies for updating our computers to a modern OS. Recommend checking out http://distrowatch.com/dwres.php?resource=major and http://distrowatch.com/

For upgrading our computers, the most important thing is backing up our data files in one or two places. And take a screen shot or write down the list of all the programs you have installed on XP. Then when you get a new operating system, you will have all your data files, and you can re-install the programs that you had on XP, or close approximations thereof. And program licenses will also need to be backed up. Firefox bookmarks, at least, should be backed up and exported to a file.

I know you never said you have Firefox, but I like saying its name.

If you’re rich, you can always get a new computer, and keep the old computer running until you’re sure you’ve gotten all the data and information off of it that you’ll need. At that point, I would say that AMD and core-2-duo-and-older computers should be electronics-recycled. i3, i5, and i7 computers should be shined up, brought flowers, and allowed at the dinner table and under the bed covers.

Best luck.

Thanks to Milos for pointing out the offending checkbox. Google went right to him.

this HTTPs scanning problem is also affecting users on windows vista , 7 & 8 & 10
so it’s not limited to XP.

system · 2015-10-27T00:59:17.000Z

this HTTPs scanning problem is also affecting users on windows vista, 7, 8, & 10, so it’s not limited to XP.

OK then.

I just got the avast-cloudflare popup when I went to a webpage that didn’t seem to have anything to do with cloudflare. On Firefox, I did View Page Source (right click on the webpage), and there was no mention of Cloudflare. I tried, but avast! wouldn’t let me download the webpage.

A few weeks ago, I was having a forum-discussion about windows.uservoice.com allegedly being an official feedback vector to Microsoft for people that are dying to give 'em feedback. A quick “who-is” of uservoice.com showed they’re owned by Cloudflare – not Microsoft. I said that they are full of baloney, that they’re accepting a whole lot of discussion on their website but it doesn’t have anything to do with Micro$oft. For the record, then someone found a link on microsoft.com that leads to windows.uservoice.com, so I had to eat my words.

(I’m still not convinced there’s significant data-sharing between uservoice and microsoft. Maybe some microsoft folks take a bi-yearly visit to uservoice for laughs…)

During the discussion, I took a quick visit to Cloudflare’s webpage and Uservoice’s webpage. I didn’t learn anything, except Uservoice is in the business of providing webspace for people that are aching to leave feedback about stuff, and Cloudflare was offering more-general internet services that I didn’t understand.

After that, within a day or two, I got my first avast-cloudflare pop-up and webpage blockage, and I wasn’t anywhere around uservoice or cloudflare. Just like today.

I just searched my Firefox cookies for cloudflare, and nothing came up.

Huh, I found one cookie for uservoice named “__cfduid” It was going to expire Sept 30 2016. I deleted it.

Can a cookie create pop-ups, like a bit of spyware? Can a cookie manipulate avast! into blocking a webpage and popping up a warning?

When I click on the avast! system-tray icon to “show last pop-up message,” it still shows me the cloudflaressl.com pop up. So it’s really an avast! pop-up, attached.

system · 2015-10-27T01:49:30.000Z

By the way, the website that was giving me the avast!-cloudflare pop-up was governmentjobs.com.

As soon as I unchecked the “Enable HTTPS scanning” checkbox, I was able to get into the domain and take care of my business.

Somehow, I think unchecking that checkbox is a workaround, and something needs to be fixed so I can re-check the checkbox.

By the way, forum.avast.com gets a 100% score from my Firefox Calomel-Add-On. Attached. We need more graphics to break things up.

The theory that the cloudflare popup is a problem with XP not being able to handle “new certificates” doesn’t seem to be the problem, since all the later Windows are having trouble with the cloudflare pop-up, too.

Maybe it’s not a certificate problem at all. Maybe it’s just avast! doing something funky and needs to be fixed. Maybe it’s too bad for Cloudflare that the avast! problem is making them look suspicious, when they’re actually not doing anything wrong, maybe.

I mean, it seems that Cloudflare’s “uservoice” website is a little “weird,” making believe that they’re an official feedback repository for a variety of businesses when actually the vector between the feedbacks and the intended businesses is actually very unofficial, but that doesn’t mean they really have a certificate problem.

Next step is to use Firefox’s “View Page Info” function to see those suspicious certificates.

Well, the website that gave me the most recent pop-up was governmentjobs.com. The issuer of their certificate is thawte, Inc. There’s nothing in the certificate information (that I saw) that has anything to do with Cloudflare. Therefore, it isn’t easy for this layman to understand why governmentjobs.com is setting off an avast!-cloudflare red-alert, and block the page from downloading.

system · 2015-10-27T11:37:12.000Z

I wish avast! would do something about these darn pop-ups. I know the pages I am visiting are safe, yet the pop-up warnings persist. They even manage to block a few sites. It’s a chore.

CraigB · 2015-10-27T11:54:12.000Z

lcalee post:9:

I wish avast! would do something about these darn pop-ups. I know the pages I am visiting are safe, yet the pop-up warnings persist. They even manage to block a few sites. It’s a chore.

How do you know the pages are safe? what are you scanning them with for a second opinion?

Please tell us which pages/url’s you are getting popups from and make the url’s un-clickable

glnz · 2015-10-31T16:22:51.000Z

I and another Avast forum member are having the same problem, and we have posted at

https://forum.avast.com/index.php?topic=178308.msg1263354#msg1263354

Avast, please check this better. Most of us do not understand certificates or what this means.

glnz · 2015-11-12T18:09:08.000Z

Hey - Avast - is there anything new on this?

bob3160 · 2015-11-12T18:24:59.000Z

glnz post:12:

Hey - Avast - is there anything new on this?

Are you using the latest version of Avast ???
https://forum.avast.com/index.php?topic=178580.0

system · 2015-11-23T19:51:14.000Z

I’m going to jump in here, because in the last few days I am also getting that annoying pop-up about CloudFlare’s SSL certificate (279221, in this case) not being valid when I go to one specific site’s shopping cart page to check out.

Here is the kicker: The site (which is a reputable seller of home medical care products) has a backdoor to a server which is not hooked up to CloudFlare, and Avast still pops up its little warning box and refuses to allow access to the page.

The problem is somewhere in Avast. I have the current version (upgraded when I renewed a few months back) but if this is what I’m going to keep experiencing I’m going to uninstall it and demand a refund on my renewal.

Eddy · 2015-11-23T20:04:19.000Z

I have the current version (upgraded when I renewed a few months back)

The latest version was released 20 days ago, not months. https://forum.avast.com/index.php?topic=178580.0

And the latest beta has been released 3 days ago:
https://forum.avast.com/index.php?topic=179386.0

system · 2016-01-10T14:51:03.000Z

And the problem quietly slunk into the inky blackness. No recognition of extended customer dissatisfaction and trouble, no communications with the forum participants that brought the problem to avast!'s attention. God forbid, no apology or explanation…

This thread: 3142 Views. It was a very serious problem.

glnz · 2016-01-10T15:24:24.000Z

To bob3160 - Yes, Bob, and in fact my current version is even more recent than the one in your link. Happy New Year, by the way.

DavidR · 2016-01-10T16:22:20.000Z

glnz post:17:

To bob3160 - Yes, Bob, and in fact my current version is even more recent than the one in your link. Happy New Year, by the way.

Only because his post was from over a month and a half ago, you have to take things like that into consideration.

The point was to ensure that you always have the latest avast version, any fixes (as and when found, confirmed) will be made to the latest version at that point in time.

Announcements