https on bluelight.ru/bluelight.org broken ?

[allsprk]

I see:

when i try to access https://bluelight.org which the certificate is valid for but bluelight.ru has the wrong certificate set. i dont know if you guys are aware of this but ssl certificates nowadays are free and there is really no excuse for not protecting your users with proper certificates, especially considering the nature of this site.

i can only hope that this site not implementing proper https is an oversight and not intentional.

happy trails

 

[swilow]

I'm pretty sure the site is implementing it, at least according to this post. Perhaps you should email or report this?

 

[allsprk]

implementing https ssl is as easy as getting a free letsencrypt certificate and adding 2 lines to your webserver + permanent 302 redirect to force http traffic onto the new protocol. even if some sort of legacy implementation of vbulletin is preventing the site from converting to full https, it would take something on the order of 10 minutes to 10 days. the last post in that threat is from 01-11-2016, it is 11-07-2016 over 10 months.

it's very easy for me to conclude this is something other than a technical problem, but i'm going to retire my tin foil hat for today. alasdairm contacted me regarding an unrelated issue, but hopefully while i have his ear i can figure this out. it's always disturbing to me to see a website with sensitive content matter not value it's users privacy

 

[alasdairm]

both https://www.bluelght.org and https://bluelight.org are fine for me. for which specific URL are you seeing that error?

alasdair

 

[allsprk]

on https://bluelight.org/ i get the error i linked in my first post above
on https://www.bluelight.org/ i get mixed content warning, but otherwise it seems ok.
on https://bluelight.ru/ i get:

because there is no certificate for bluelight.ru installed, instead it's failing over to bluelight.org's certificate.

also, here's a quick ssl security audit on bluelight.org. it appears it's up to date and not vulnerable which is a good thing.

###########################################################
    testssl.sh       2.8rc2 from https://testssl.sh/dev/
    (d32dbda 2016-10-12 21:15:37 -- 1.558)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Start 2016-11-07 16:39:33    -->> 85.17.82.133:443 (bluelight.org) <<--

 rDNS (85.17.82.133):    bluelight.org.
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               offered
 TLS 1.1             offered
 TLS 1.2             offered (OK)
 Version tolerance   downgraded to TLSv1.2 (OK)
 SPDY/NPN            not offered
 HTTP2/ALPN          http/1.1 (offered)

 Testing ~standard cipher lists

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 "Medium" grade encryption    not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES an

 PFS is offered (OK)          DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES25 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RS
 Elliptic curves offered:     sect571r1 sect571k1 sect409k1 sect409r1 sect283k1 sect283r1 prime256v1 secp521r1


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
 Cipher order
    TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES2
    TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES2
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES25A DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA DES-CBC3-SHA


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session tic
 Session Tickets RFC 5077     300 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 TLS clock skew               random values, no fingerprinting possible
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Fingerprint / Serial         SHA1 A92E6694C7B511A7895AC9D7756ECB03B695DF08 / B06F8810195A3CBC087F8BA45B0D57D1
                              SHA256 085ED2B235272F7643CE0CC541E35E46BB3BC6DCDCDFCC7E51237AFC4298DCF8
 Common Name (CN)             "www.bluelight.org"
 subjectAltName (SAN)         "www.bluelight.org" "bluelight.org"
 Issuer                       "COMODO RSA Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
 Trust (hostname)             Ok via SAN (works w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Expiration       818 >= 60 days (2014-02-03 19:00 --> 2019-02-03 18:59 -0500)
 # of certificates provided   4
 Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
 OCSP URI                     http://ocsp.comodoca.com
 OCSP stapling                offered


 Testing HTTP header response @ "/"

 HTTP Status Code             302 Found, redirecting to "/vb/content.php"
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    --
 Public Key Pinning           --
 Server banner                Apache
 Application banner           --
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             --
 Reverse Proxy banner         --


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), timed out
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507),             Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (2016-0800, CVE-2016-0703)          not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabl
                                           https://censys.io/ipv4?q=085ED2B235272F7643CE0CC541E35E46BB3BC6DCDC
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any D
 BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA AES128-SHA
                                                 DHE-RSA-AES128-SHA AES256-SHA DHE-RSA-AES256-SHA
                                                 CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA256-SHA
                                                 DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256
                                           VULNERABLE -- but also supports higher protocols (possible mitigati
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing all 183 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
--------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM    256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM    256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES       256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 x39     DHE-RSA-AES256-SHA                DH 2048    AES       256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia  256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
 x9d     AES256-GCM-SHA384                 RSA        AESGCM    256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x3d     AES256-SHA256                     RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x35     AES256-SHA                        RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA
 x84     CAMELLIA256-SHA                   RSA        Camellia  256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM    128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM    128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES       128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 x33     DHE-RSA-AES128-SHA                DH 2048    AES       128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia  128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM    128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3c     AES128-SHA256                     RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x2f     AES128-SHA                        RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA
 x41     CAMELLIA128-SHA                   RSA        Camellia  128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES      168      TLS_RSA_WITH_3DES_EDE_CBC_SHA


 Running browser simulations via sockets (experimental)

 Android 2.3.7                 TLSv1.0 DHE-RSA-AES128-SHA
 Android 4.0.4                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.1.1                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.2.2                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.4.2                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Baidu Jan 2015                TLSv1.0 ECDHE-RSA-AES128-SHA
 BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 42 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 IE 6 XP                       No connection
 IE 7 Vista                    TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 8 XP                       TLSv1.0 DES-CBC3-SHA
 IE 8-10 Win 7                 TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 11 Win 7                   TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE 11 Win 8.1                 TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 10 Win Phone 8.0           TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 11 Win Phone 8.1           TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 11 Win Phone 8.1 Update    TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE 11 Win 10                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 Win 10                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 Win Phone 10          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Java 6u45                     TLSv1.0 DHE-RSA-AES128-SHA
 Java 7u25                     TLSv1.0 ECDHE-RSA-AES128-SHA
 Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 0.9.8y                TLSv1.0 DHE-RSA-AES128-SHA
 OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 1.0.2e                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 5.1.9 OS X 10.6.8      TLSv1.0 ECDHE-RSA-AES128-SHA
 Safari 6 iOS 6.0.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 6.0.4 OS X 10.8.4      TLSv1.0 ECDHE-RSA-AES128-SHA
 Safari 7 iOS 7.1              TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 7 OS X 10.9            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 iOS 8.4              TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 OS X 10.10           TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 9 iOS 9                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 9 OS X 10.11           TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256

 Done 2016-11-07 16:42:49    -->> 85.17.82.133:443 (bluelight.org) <<--

maybe just redirect users from bluelight.ru and bluelight.org to -> https://www.bluelight.org if thats the only thing working right now ?