dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2309

Rob Biller
@comcastbusiness.net

Rob Biller

Anon

Certificate problems?

This might be a PEBKAC error, but...
I'm getting certificate errors when I try to connect to »businessclass.comcast.net, it complains about invalid certificate (signed by unknown authority). I'm getting this problem with recent versions of Firefox on Ubuntu, as well as an older version of Safari on OS X. The site used to work for me, so I don't know if I'm doing something wrong, or something has changed on Comcast's side.

I go to »business.comcast.com/ and hit the 'login' button under the 'existing customers' section, and that is when I get the certificate error. It is not a self signed certificate, it shows it as "VeriSign Class 3 Secure Server CA - G2". Some googling shows a few other people having similar problems, but I didn't find any helpful info.

Anybody else getting this problem? Suggestions? (Aside from ignoring the warning.)

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

At the Verisign Support site you can download the CA certificate (public key) and import it into your browser. This enables your browser to verify the certificate you receive from comcast and eliminates the warning.

Rob Biller
@comcastbusiness.net

Rob Biller

Anon

Ok, that's useful. But why do I have to do this in the first place?

If I didn't screw up, then that means either Comcast or Verisign did. Or both Firefox and Safari did. So what is causing the problem? I checked on an older Safari install, and it worked. So does that mean the verisign class 3 secure server ca - g2 is depreciated or something? Is this Comcasts fault for using it? Firefox (and Safari!) for not including it?

What is going on? It's not good to train users to click 'ignore' on security warnings(which is why I object to the way Firefox throws a fit about self signed certificates), and its even worse if they have to manually download a certificate.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

2 edits

1 recommendation

Mele20 to Rob Biller

Premium Member

to Rob Biller
VeriSignClas···.crt.zip
1,688 bytes
VeriSign Class 3 Secure Server CA-G2 - G2 Cert
Opera 10.62 and Opera 11 beta have zero problems with that cert, but my ancient Fx 1.5 returns the same error you are seeing. There is nothing wrong with the certificate from businessclass.comcast.net issued by Verisign. It is a problem with Fx. You should report it on the official Mozilla forums or at mozilla.dev.tech.crypto News Group.

I have Safari for Windows 5.0.2 and it has no problems with the cert.

Your Fx is apparently missing a Verisign cert. There are two Verisign certs in the chain that certify businessclass.comcast.net. My old Fx that throws the error is also missing one of the Verisign certs. How old is your Fx? It should have come with that cert installed. You have Verisign Root 1 (VeriSign Class 3 Public Primary CA - G2) installed in your Fx certificate store. What you need is the cert issued from Root 1 and that is the VeriSign Class 3 Secure Server CA - G2. You can't get that at the link leibold gave. It was issued in 2009.

IE 6 there doesn't like the site. It says the site is actually insecure because it has both secure and insecure items on the page and it refuses to give it a lock unless I tell it to block all insecure items on the page. I don't know what IE 8 would say as I would have to start a virtual machine where I have IE8.

Edit: I started a virtual machine that has Fx 3.0 and I exported the cert you need and have uploaded it. Just install it in your Fx certificate store. My Fx 3.0 has no problems with the site in question because it has the Verisign cert in its store.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to Rob Biller

MVM

to Rob Biller
I didn't look into the details of the specific certificates, but generally there are two ways the nuisance (it is not a serious problem) can be avoided.

1.) Your operating system or your browser (depending on which software is providing and managing the certificate store) could have been updated with the certificates for all root and intermediary Certificate Authorities. This would allow your browser to verify a certificate for a website if it is signed by an Intermediary CA instead of a Root CA.

2.) The website you are accessing could have provided the certificate for the Intermediate CA to your browser which would have allowed your browser to follow the certificate chain up to the Root CA (which it probably knows already). This is the recommended way to configure a webserver when using certificates from Intermediary CAs since there are always going to be users who don't have all the CA certificates. There is no harm in providing the extra certificate to a browser who already has it, but for a high volume secure website with many small transactions this can add significantly to the bandwidth usage.

JLevinworth
@embarqhsd.net

JLevinworth to Rob Biller

Anon

to Rob Biller
I looked at the (generated) source code of that page; the cert, and I'm using FF.

Looking at the source code provided to me of cbc page it shows tracking code is going to other domains, which are non-ssl.

This code appears to be typical web analytics stuff, but this would trip the browser for mix-content issues - Due to the http (see http sites below) on an httpS page. Also the cert trips for not being the domain name the cert was issued to authenticate the identity of: businessclass.comcast.net.. (See https site below). In other words, they're doing it wrong.

Adblocking the following took care of it:

https://4qinvite.4q.iperceptions.com/^
http://www.omniture.com/^
http://comcastworkplacestaging.112.2O7.net/^
 
YMMV if they (comcast page or the web tracking/analytic providers) are serving up something different to you, which is the dynamic nature of the web).

-Jim
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to leibold

Premium Member

to leibold
Click for full size
Click for full size
I don't think mixed content is the problem because this is what I see on Fx 1.5. You can clearly see that my old Fx is missing that intermediate cert so while it has the Root cert from Verisign it can't follow the chain up to that because the intermediate one is missing.

Edit: Here's what Fx 3 shows.

JLevinworth
@embarqhsd.net

JLevinworth

Anon

Don't have time to do a screen cap, but I got a mix content warning from FF. v.3.6.12. I have the warning set to show a mix content warning (Tools > Options > Security >[ Settings ] ).

The source I get does show mix content (view source, and search for http: references; also there is a .js file too), and external references. Maybe I am being directed elsewhere, but I get this clicking on the login button under existing customers, which goes to a portal address: »businessclass.comcast.ne ··· itorhome

Not doubting what you are finding, this is just what's coming up for me and sharing if it helps.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Could be because you are on Fx 3.6. I stopped with 3.0 as I mostly use Opera now. I did think Proxo might be killing ads and thus no mixed content so I tried the login with Proxo enabled and then bypassed. Only difference I saw on Fx 3 was with Proxo bypassed I got a couple of ads and a request from a third party ipixel site to set a cookie. I don't recall a setting in Fx 3.0 for showing/not showing mixed content and I have to leave now but when I get back I'll check that out.

JLevinworth
@embarqhsd.net

JLevinworth

Anon

said by Mele20:

Could be because you are on Fx 3.6. I stopped with 3.0 as I mostly use Opera now. I did think Proxo might be killing ads and thus no mixed content so I tried the login with Proxo enabled and then bypassed. Only difference I saw on Fx 3 was with Proxo bypassed I got a couple of ads and a request from a third party ipixel site to set a cookie. I don't recall a setting in Fx 3.0 for showing/not showing mixed content and I have to leave now but when I get back I'll check that out.

Sounds good.

The ipixel you mention, see if it's matches up with the urls in here:
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
=0)document.write(unescape('%3C')+'\!-'+'-')
//--><A HREF="http://www.omniture.comtitle=WebAnalytics"><IMG SRC=""></a>
 
 

When I look at the generated source code, the above code snip is almost at the very bottom. It's pixel size, and coming from a non-ssl site and on another domain... (which, as you know, mixed content is not preferable, but ok from same domain but not from another domain as far as the certs concerned.)

When you can, see if that coincides with what you find too.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Click for full size
Maybe Comcast read this thread?

I just got back and was going to test further and look at the pixel cookie, etc. I was on Fx 3.0 on my virtual machine and I got a BLANK page when I tried to go to business.comcast.com. I tried several times and kept getting a blank page. I thought I had connection problem except dslr was fine. So, I went to my host machine and tried to go there on Opera 10.62. Opera gave me the error. Fx should have given me that error. I wonder why it didn't.

I checked Fx options and it has the notify if a page has mixed content check marked. So, why didn't Fx notify me of that? I recall now that I have seen Fx notify me of mixed content back when I was using it most of the time. I've been having loading problems with that Fx 3 and last week had to disable my theme and use the default one just to get Fx to load outside Fx safe mode so maybe I have a corrupted profile, etc. and that might explain why I got a blank page and also why Fx did not notify earlier about mixed content when I bypassed Proxo and went there and saw ads.