All modern web browsers have been changed to facilitate site censorship.

1.1K

• (+8/-0)

Check sticky comment All modern web browsers have been changed to facilitate site censorship.

You may have noticed that nitter.net's SSL certificate expired last night. You may also have noticed that your browser no longer gives you the option to temporarily add an exception for the website.

This change is (supposedly) intended to increase internet security, by preventing people from visiting spoofed websites. I guess I understand; most normies won't read the pop-up and will just bypass the security mismatch. I'd be unsurprised if a few got caught by DNS exploits or drive-bys.

Thing is, this means that if you're unable to obtain a PKI certificate for your website, or if some government invalidates your certificate, you've been effectively censored off the internet. You could put up a plain http server, but then all communications and all URLs visited can be logged by an outsider.

Right now, chrome has a "secret" bypass for the behavior; click on the background of the warning page, type "thisisunsafe" on the keyboard, then reload, and you can get on. Firefox has no such bypass.

Let's please put some pressure on web browser developers to revert this new behavior.

You may have noticed that nitter.net's SSL certificate expired last night. You may also have noticed that your browser no longer gives you the option to temporarily add an exception for the website. This change is (supposedly) intended to increase internet security, by preventing people from visiting spoofed websites. I guess I understand; most normies won't read the pop-up and will just bypass the security mismatch. I'd be unsurprised if a few got caught by DNS exploits or drive-bys. Thing is, this means that if you're unable to obtain a PKI certificate for your website, or if some government invalidates your certificate, you've been effectively censored off the internet. You could put up a plain http server, but then all communications and all URLs visited can be logged by an outsider. Right now, chrome has a "secret" bypass for the behavior; click on the background of the warning page, type "thisisunsafe" on the keyboard, then reload, and you can get on. Firefox has no such bypass. Let's please put some pressure on web browser developers to revert this new behavior.

[–] [Sticky] • 6 pts

I can't believe this is the post that caused me to register after lurking since voat went down.

You are misunderstanding the technology. This isn't the browser, it's nitter's requirement. You can view their certificate requirements in your browser.

You can't just "allow" an exception on nitter because nitter REQUIRES a secure connection. Their SSL certificate specifies this. Their certificate flags to use HTTP Strict Transport Security, which ONLY allows secure connections. The reason your nitter plugin or redirect won't work is because they took the precaution to ensure that morons don't just allow an exception in the case that they did become compromised. What you are experiencing is the protection working as intended.

Also, to help you out, there is a maintained daemon that tracks the uptime of nitter instances. Here is a handy link for you - https://github.com/xnaas/nitter-instances

That will show you which nitter instances are working, their uptime, and their response time. You aren't even supposed to make nitter.net your default instance, and because everyone does anyway, it gets rate limited. Nitter is software. Distributed software. You are SUPPOSED to use it distributed. So update your plugin or your bookmark to use an available instance. If you are using Nitter Redirect (plugin/extension), it's as simple as clicking on the icon, then copy/paste the address for one of the other instances.

I swear, sometimes the tin-foil hats are a wee too tight around here.

Good day, and welcome to the future.

link

[–] • 0 pt

Okay, I posted a message as a quick response, then realized it didn't respond to what you'd actually said. Then I researched it, and now I'm ready to re-reply.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The stated purpose of "Strict Transport Security" is to prevent HTTP fallback on sites that should only be connected to via HTTPS. It is not to only allow connections with valid certificates, and it shouldn't be made impossible to get around IMO, especially when the connection is via HTTPS, and when I can examine the certificate and see for myself why it's considered invalid.

parent
link

[+] [deleted] • 0 pt

[–] • 1 pt

I was once implementing a library called nopoll I believe for websocket use, and I was tasked with setting up our own certificates and making sure it was all actually secure.

I made my own certificates locally to test. Nopoll, like all / many other treats "self signed" differently as ca signed. HOWEVER what was shocking and obviously a deliberately left out SERIOUS SECURITY HOLE was that even if your cert was ca signed it wouldn't actually test to confirm it was legit.

So you could make your own ca for your own cert, use that cert and then nopoll would act like it was more secure than self signed without checking it what so ever. You had to give an extra flag in nopoll for it to actually check the ca.

It made me wonder how many other browsers / libraries etc are allowing this self signed as non self signed cert security hole. Basically this hole literally allows the middleman attack they are censoring sites claiming they are protecting you from.

link

[–] • 1 pt

Note that a lot of antivirus software that scans web pages inserts a special CA into your browser, in order to MITM the connection and see what's going over the wire protocol. And yes, it's a huge potential security hole.

parent
link

[–] • 0 pt

A lot of corporate firewalls do this too. Their machines all have a corporate root certificate installed and they use that to spoof the CA for whatever domain you're visiting so they can MITM whatever you're visiting from the corporate network.