SSL cert problems with cryptostorm sites

[Timm]

Windows 10, Firefox 54.0.
Both cryptostorm.net and resellers.cryptostorm.ch use "cryptostorm.ch" cert. Firefox doesn't want to go to that addresses.
It's realy weird to see such problems on crypto related service.

[maltfield]

+1

Linux, Firefox 55.0.2 + Chromium 60.0.3112.113.

This is extremely annoying, and it makes much of your website content inaccessible.

@CS can you please either buy a wildcard or add a Subject Alternate Name for your many subdomains? I know of at least these SANs needed for cryptostorm.ch

* pki
* haf
* resellers
* bootstrap
* tcp

Unlimited SANs are free with a free Let's Encrypt certificate.

If you insist on sticking with COMODO, then looks like you'll need either their wildcard cert ($550/yr) or UC cert ($400/yr)

* https://ssl.comodo.com/wildcard-ssl-certificates.php
* https://ssl.comodo.com/unified-communic ... icates.php

After that, can you please look into enabling HSTS (to prevent downgrade attacks), adding HPKP (to pin specific certs & CAs), and adding a CAA record (to help reduce malicious certs from being generated from CAs that you whitelist with HPKP).

I have a guide on doing HPKP properly with Let's Encrypt here, and I'd be happy to offer consulting services if you lack the resources to achieve this:

* https://tech.michaelaltfield.net/2017/0 ... s-encrypt/

Honestly, it's a red flag to any potential buyer that your team doesn't understand security when you have incorrectly configured your https certificates for your web servers.

[df]

That's an old issue left over from a former admin who liked to use sub-domains instead of /directories just because it "looked cooler" to him, even though I told him from the beginning not to use them.

As a result, a lot of places outside of CS have links to old http://whatever.cryptostorm.ch/ pages that haven't been active since before HTTPS was forced on the forum in early 2013.

I've tried to fix as many broken links as I could find, but I'm sure there's still a bunch in the forum that I've missed.
In the fixed cases, I've converted the old http://whatever.cryptostorm.ch/ format to whatever so that the page is accessible without any SSL errors
(So http://pki.cryptostorm.ch/ would be accessed at pki , etc.)

As for cryptostorm.net, that's always been a simple redirect to cryptostorm.ch, so anyone going to https://cryptostorm.net/ would be doing so manually (or because of a browser addon). But that shouldn't be linked anywhere, even external to CS since there's never been a webpage on that domain.

EDIT:
As for HSTS and HPKP, the former was causing problems with a lot of browsers caching the incorrect subdomains, and most browsers don't allow you to bypass an HSTS error as you can a plain certificate error. If I remember correctly, the reason we didn't do HPKP on this website or the main cryptostorm.is one was related to those coming here using older browsers (which is often enough that it would cause issues).

[maltfield]

Thanks for the response. Can you comment on why you can't change to Let's Encrypt? That would be a free cert that would entirely fix this issue. And they've stated that they're going to provide wildcard certificates for free too, in early 2018:

* https://letsencrypt.org/2017/07/06/wild ... -2018.html

As for HSTS and HPKP, the former was causing problems with a lot of browsers caching the incorrect subdomains,

HSTS doesn't actually include subdomains by default. Though there could be some browsers with a poor implementation of it that do. I certainly can't speak to all the silly browsers out there.

Without HSTS, your users are vulnerable to https-stripping attacks

* https://security.stackexchange.com/ques ... work#41991