Hi all.
The number of websites unusable with XP is increasing, due to the "invalid
certificate".
1) is there an easy way to install other certificates on XP?.
2) even if the certificate is invalid, the browser offers the option to
continue. What may be the risk of continuing?

GF

Try MyPal browser.

G.F. wrote:
> Hi all.
> The number of websites unusable with XP is increasing, due to the "invalid
> certificate".
> 1) is there an easy way to install other certificates on XP?.
> 2) even if the certificate is invalid, the browser offers the option to
> continue. What may be the risk of continuing?
>
> GF
>
>

On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:

>Hi all.
>The number of websites unusable with XP is increasing, due to the "invalid
>certificate".
>1) is there an easy way to install other certificates on XP?.
>2) even if the certificate is invalid, the browser offers the option to
>continue. What may be the risk of continuing?

Let's Encrypt went bonkers this week.

Download the certificates from

https://letsencrypt.org/certificates/

You'll need ISRG Root X1, ISRG Root X2, Let’s Encrypt R3 and
Let’s Encrypt E1.

Download them using the links (right click, save as).

You can add them to your XP store by double clicking on them.

To add them to Firefox/whatever by go to tools --> options -->
advanced --> certificates --> View Certificates.
Click on import certificate. After you've imported them all,
go to "Internet Security Research Group" and "edit trust". Check they
are trusted for web pages or whatever.
HTH

PS Can't remember which are best for what. *.PEM worked for
Firefox. Can't remember if I used *.PEM or *.DER for XP.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

"Aoli" <Aoli@Aoli.com> ha scritto nel messaggio
news:sj7fc0$egr$1@gioia.aioe.org...
>
> Try MyPal browser.

The official website doesn't work because of... invalid certificate. :-)
Majorgeeks doesn't work because of... invalid certificate. :-)
Softpedia doesn't work because of... 404 page not found :-)

I'm at the end of my rope. :-)

GF

"Shadow" <Sh@dow.br> ha scritto nel messaggio
news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:

> Download the certificates from
>
> https://letsencrypt.org/certificates/

I get "Invalid certificate" :-)

I'm at the end of my rope. :-)

GF

On Fri, 1 Oct 2021 22:36:22 +0200, "G.F." <nospam@grazie.it> wrote:

>"Shadow" <Sh@dow.br> ha scritto nel messaggio
>news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>
>> Download the certificates from
>>
>> https://letsencrypt.org/certificates/
>
>I get "Invalid certificate" :-)
>
>I'm at the end of my rope. :-)
>
>GF

LOL. Allow an "Exception"(assuming Firefox). Then you can open
the certs page. Double clicking on the "*.der" download link will
install the certificate to the browser. Close the browser, open it and
you should be good to go.
As I said, you'll have to right-click and save them if you
want to install to your XP cache.
HTH
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

On Fri, 01 Oct 2021 18:57:50 -0300, Shadow <Sh@dow.br> wrote:

>On Fri, 1 Oct 2021 22:36:22 +0200, "G.F." <nospam@grazie.it> wrote:
>
>>"Shadow" <Sh@dow.br> ha scritto nel messaggio
>>news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
>>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>>
>>> Download the certificates from
>>>
>>> https://letsencrypt.org/certificates/
>>
>>I get "Invalid certificate" :-)
>>
>>I'm at the end of my rope. :-)
>>
>>GF

Correction:
>
> LOL. Allow an "Exception"(assuming Firefox). Then you can open
>the certs page. Double clicking on the "*.der" download link will
>install the

certificateS. Just one is not enough.

(You'll need ISRG Root X1, ISRG Root X2, Let’s Encrypt R3 and
Let’s Encrypt E1)

> to the browser. Close the browser, open it and
>you should be good to go.
> As I said, you'll have to right-click and save them if you
>want to install to your XP cache.
> HTH
> []'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

On 10/1/2021 4:36 PM, G.F. wrote:
> "Shadow" <Sh@dow.br> ha scritto nel messaggio
> news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>
>> Download the certificates from
>>
>> https://letsencrypt.org/certificates/
>
> I get "Invalid certificate" :-)
>
> I'm at the end of my rope. :-)
>
> GF

This is to give you some idea how hard it will be to
bootstrap. Apparently Firefox has its own certificate store.
But (of course), a modern Firefox, like a Firefox 91 won't
run on Windows XP.

I picked this post, the one at the end right now, to
show there are "hand tools" that are not browsers.

https://borncity.com/win/2021/09/30/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates/

"Ubuntu 16.04 doesnt recognizes at all.
Tried to update the /etc/ssl/certs/ca-certificates.crt but no effect.

The only thing that made it work was to update openssl package and
then update curl pointing to the new openssl (all done by compiling method)
to get the curl to work.

wget still not working as its as pre-compiled with old openssl…
Still wondering if it has something to do with this topic or just a coincidence."

What we'd need then, is a curl which is updated today, and
available on an http (not https) site.

https://curl.se/download.html # Yeah, I know, https

curl version: 7.79.1
Build: 7.79.1
Date: 2021-09-22 # Not today...

https://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== advertised as...

http://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== seems to work...

WGET would be the better tool, because the description reads as this,
but as far as I know, it doesn't have internal certificates.

"wget is a fantastic tool for downloading content and files. It can download files,
web pages, and directories. It contains intelligent routines to traverse links in
web pages and recursively download content across an entire website. It is
unsurpassed as a command-line download manager."

Now CURL is supposed to have certificates, as part of pulling stuff
into its library.

"curl satisfies an altogether different need. Yes, it can retrieve files, but it
cannot recursively navigate a website looking for content to retrieve."

This usage of CURL is silly. Don't do this. The problem would be,
with binary or ISOs or the like. You want something that won't screw up,
if doing big downloads.

cd /d C:\Downloads\CurlDir # Point at the dir with the EXE in it

curl https://www.bbc.com > bbc.html

Whereas this one, puts content into a file. The log should still
be dumped into Command Prompt.

curl -o bbc.html https://www.bbc.com

My WinXP computer broke two days ago (would freeze in memtest).
All the hardware is pulled from the computer case, the case is
just sitting near my shoulder, EMPTY!!! No hardwares. Can't test
diddly now. I'm running off Win7 at the moment, haven't moved
my email over, the usual mess.

Now, we need any emergency OS with Firefox in it, on the
assumption it has certificates. I picked the Lite version,
for lower RAM consumption.

https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso

curl -o zorin153x86.iso https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso

That's around 2GB, so should work in FAT32 for storage, and you
can burn a DVD of that for boot purposes.

I tested in a VM, and that will boot on 512MB, but you can't
start Firefox unless the computer has about 1GB of RAM for "comfort".
Running a LiveDVD, RAM is used for scratch file space, which is
why these things jam up so easily.

I can put that on a USB stick. I used rufus.ie to do a USB stick,
and it offered me a 26GB casper-rw persistent partition. This is
on a 32GB USB stick. This is an EXT partition and not just a loopback
mount as might be more normal (lots of persistent sticks have
just 4GB of storage on a bitmap file sitting on a FAT32 partition,
which is why they have the 4GB limit). This happens to be a Ubuntu at
the moment, and I can see a file stamping the stick as being
made by Rufus.

--- /dev/sde
Block device, size 29.22 GiB (31376707072 bytes)
DOS/MBR partition map
Partition 1: 3.221 GiB (3458359296 bytes, 6754608 sectors from 2048, bootable)
Type 0x0C (Win95 FAT32 (LBA))
SYSLINUX boot loader
FAT32 file system (hints score 4 of 5)
Volume size 3.217 GiB (3454156800 bytes, 210825 clusters of 16 KiB)
Partition 2: 26.00 GiB (27917277696 bytes, 54525933 sectors from 6756656)
Type 0x83 (Linux)
Ext3 file system
Volume name "casper-rw"
UUID 69FD8B2A-C16A-8B42-9C60-6DDC9C4FE0E9 (DCE, v8)
Last mounted at "/"
Volume size 26.00 GiB (27917275136 bytes, 6815741 blocks of 4 KiB)

The USB would be useful, if you've done these before, and your
machine has a USB boot capability. Otherwise, it's a DVD thing.
A DVD won't work on my first PC (1.1GHz Tualatin), and there
I need a CD instead (the BIOS does not grok DVD type as a hardware).

This might not work due to github web code. But if it does, you can
play with using a USB stick instead of a DVD blank.

curl.exe -o rufus315.exe https://github.com/pbatard/rufus/releases/download/v3.15/rufus-3.15p.exe

Once you're booted into Zorin Live Lite, you can follow Shadows suggestions
and look at various web sites for certificate downloads.

I don't know how far you'll get, but that's an idea of
how I'd try to escape the Houdini box you're in.

Paul

On Fri, 1 Oct 2021 21:53:50 -0400, Paul <nospam@needed.invalid> wrote:

>On 10/1/2021 4:36 PM, G.F. wrote:
>> "Shadow" <Sh@dow.br> ha scritto nel messaggio
>> news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
>>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>>
>>> Download the certificates from
>>>
>>> https://letsencrypt.org/certificates/
>>
>> I get "Invalid certificate" :-)
>>
>> I'm at the end of my rope. :-)
>>
>> GF
>
>This is to give you some idea how hard it will be to
>bootstrap. Apparently Firefox has its own certificate store.
>But (of course), a modern Firefox, like a Firefox 91 won't
>run on Windows XP.
>
>I picked this post, the one at the end right now, to
>show there are "hand tools" that are not browsers.
>
>https://borncity.com/win/2021/09/30/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates/
>
> "Ubuntu 16.04 doesnt recognizes at all.
> Tried to update the /etc/ssl/certs/ca-certificates.crt but no effect.
>
> The only thing that made it work was to update openssl package and
> then update curl pointing to the new openssl (all done by compiling method)
> to get the curl to work.
>
> wget still not working as its as pre-compiled with old openssl…
> Still wondering if it has something to do with this topic or just a coincidence."
>
>What we'd need then, is a curl which is updated today, and
>available on an http (not https) site.
>
>https://curl.se/download.html # Yeah, I know, https
>
> curl version: 7.79.1
> Build: 7.79.1
> Date: 2021-09-22 # Not today...
>
> https://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== advertised as...
>
> http://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== seems to work...
>
>WGET would be the better tool, because the description reads as this,
>but as far as I know, it doesn't have internal certificates.
>
> "wget is a fantastic tool for downloading content and files. It can download files,
> web pages, and directories. It contains intelligent routines to traverse links in
> web pages and recursively download content across an entire website. It is
> unsurpassed as a command-line download manager."
>
>Now CURL is supposed to have certificates, as part of pulling stuff
>into its library.
>
> "curl satisfies an altogether different need. Yes, it can retrieve files, but it
> cannot recursively navigate a website looking for content to retrieve."
>
>This usage of CURL is silly. Don't do this. The problem would be,
>with binary or ISOs or the like. You want something that won't screw up,
>if doing big downloads.
>
> cd /d C:\Downloads\CurlDir # Point at the dir with the EXE in it
>
> curl https://www.bbc.com > bbc.html
>
>Whereas this one, puts content into a file. The log should still
>be dumped into Command Prompt.
>
> curl -o bbc.html https://www.bbc.com
>
>My WinXP computer broke two days ago (would freeze in memtest).
>All the hardware is pulled from the computer case, the case is
>just sitting near my shoulder, EMPTY!!! No hardwares. Can't test
>diddly now. I'm running off Win7 at the moment, haven't moved
>my email over, the usual mess.
>
>Now, we need any emergency OS with Firefox in it, on the
>assumption it has certificates. I picked the Lite version,
>for lower RAM consumption.
>
>https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso
>
> curl -o zorin153x86.iso https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso
>
>That's around 2GB, so should work in FAT32 for storage, and you
>can burn a DVD of that for boot purposes.
>
>I tested in a VM, and that will boot on 512MB, but you can't
>start Firefox unless the computer has about 1GB of RAM for "comfort".
>Running a LiveDVD, RAM is used for scratch file space, which is
>why these things jam up so easily.
>
>I can put that on a USB stick. I used rufus.ie to do a USB stick,
>and it offered me a 26GB casper-rw persistent partition. This is
>on a 32GB USB stick. This is an EXT partition and not just a loopback
>mount as might be more normal (lots of persistent sticks have
>just 4GB of storage on a bitmap file sitting on a FAT32 partition,
>which is why they have the 4GB limit). This happens to be a Ubuntu at
>the moment, and I can see a file stamping the stick as being
>made by Rufus.
>
>--- /dev/sde
>Block device, size 29.22 GiB (31376707072 bytes)
>DOS/MBR partition map
>Partition 1: 3.221 GiB (3458359296 bytes, 6754608 sectors from 2048, bootable)
> Type 0x0C (Win95 FAT32 (LBA))
> SYSLINUX boot loader
> FAT32 file system (hints score 4 of 5)
> Volume size 3.217 GiB (3454156800 bytes, 210825 clusters of 16 KiB)
>Partition 2: 26.00 GiB (27917277696 bytes, 54525933 sectors from 6756656)
> Type 0x83 (Linux)
> Ext3 file system
> Volume name "casper-rw"
> UUID 69FD8B2A-C16A-8B42-9C60-6DDC9C4FE0E9 (DCE, v8)
> Last mounted at "/"
> Volume size 26.00 GiB (27917275136 bytes, 6815741 blocks of 4 KiB)
>
>The USB would be useful, if you've done these before, and your
>machine has a USB boot capability. Otherwise, it's a DVD thing.
>A DVD won't work on my first PC (1.1GHz Tualatin), and there
>I need a CD instead (the BIOS does not grok DVD type as a hardware).
>
>This might not work due to github web code. But if it does, you can
>play with using a USB stick instead of a DVD blank.
>
> curl.exe -o rufus315.exe https://github.com/pbatard/rufus/releases/download/v3.15/rufus-3.15p.exe
>
>Once you're booted into Zorin Live Lite, you can follow Shadows suggestions
>and look at various web sites for certificate downloads.
>
>I don't know how far you'll get, but that's an idea of
>how I'd try to escape the Houdini box you're in.
>
> Paul

I understand what you did, but it's a bit of an overkill for a
XP-only user.

I just loaded the page(Palemoon - same dialogs as an old
Firefox), got the invalid certificate warning, chose the "exception"
(or whatever it's called)

"Are you sure, you are playing with fire, you naughty person"

I clicked "I LIKE playing with fire"

The page opened, I downloaded the certs (pem, der AND txt -
wasn't sure which ones I needed), then manually installed them both to
XP and the browser.

https://postimg.cc/QVbV07cG

(yes, you need the certs to access Postimg)

Of course, once they were working I checked the fingerprints
at

https://www.grc.com/fingerprints.htm

(that uses a Digicert certificate)

When you allow an exception, for all practical purposes you
are using http ..... which can be tampered with. Best to be sure you
got valid certs.

My wget is v1.19.4, it's the last version that works with XP
and apparently it uses the XP store of certs. It's working fine now.

Incredible how many of my favorite sites broke because of the
Let's Encrypt fsckup. Didn't realize how popular it was.

PS I removed ALL references to Let'sEncrypt in my cert store
before installing the new ones. Didn't want any conflicts.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

On 10/2/2021 6:36 AM, Shadow wrote:
> On Fri, 1 Oct 2021 21:53:50 -0400, Paul <nospam@needed.invalid> wrote:
>
>> On 10/1/2021 4:36 PM, G.F. wrote:
>>> "Shadow" <Sh@dow.br> ha scritto nel messaggio
>>> news:99pelg5hhh0o2h4pghmb7qb93glcilgvo9@4ax.com...
>>>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>>>
>>>> Download the certificates from
>>>>
>>>> https://letsencrypt.org/certificates/
>>>
>>> I get "Invalid certificate" :-)
>>>
>>> I'm at the end of my rope. :-)
>>>
>>> GF
>>
>> This is to give you some idea how hard it will be to
>> bootstrap. Apparently Firefox has its own certificate store.
>> But (of course), a modern Firefox, like a Firefox 91 won't
>> run on Windows XP.
>>
>> I picked this post, the one at the end right now, to
>> show there are "hand tools" that are not browsers.
>>
>> https://borncity.com/win/2021/09/30/sept-30-2021-will-we-see-trouble-with-old-lets-encrypt-certificates/
>>
>> "Ubuntu 16.04 doesnt recognizes at all.
>> Tried to update the /etc/ssl/certs/ca-certificates.crt but no effect.
>>
>> The only thing that made it work was to update openssl package and
>> then update curl pointing to the new openssl (all done by compiling method)
>> to get the curl to work.
>>
>> wget still not working as its as pre-compiled with old openssl…
>> Still wondering if it has something to do with this topic or just a coincidence."
>>
>> What we'd need then, is a curl which is updated today, and
>> available on an http (not https) site.
>>
>> https://curl.se/download.html # Yeah, I know, https
>>
>> curl version: 7.79.1
>> Build: 7.79.1
>> Date: 2021-09-22 # Not today...
>>
>> https://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== advertised as...
>>
>> http://curl.se/windows/dl-7.79.1/curl-7.79.1-win32-mingw.zip <=== seems to work...
>>
>> WGET would be the better tool, because the description reads as this,
>> but as far as I know, it doesn't have internal certificates.
>>
>> "wget is a fantastic tool for downloading content and files. It can download files,
>> web pages, and directories. It contains intelligent routines to traverse links in
>> web pages and recursively download content across an entire website. It is
>> unsurpassed as a command-line download manager."
>>
>> Now CURL is supposed to have certificates, as part of pulling stuff
>> into its library.
>>
>> "curl satisfies an altogether different need. Yes, it can retrieve files, but it
>> cannot recursively navigate a website looking for content to retrieve."
>>
>> This usage of CURL is silly. Don't do this. The problem would be,
>> with binary or ISOs or the like. You want something that won't screw up,
>> if doing big downloads.
>>
>> cd /d C:\Downloads\CurlDir # Point at the dir with the EXE in it
>>
>> curl https://www.bbc.com > bbc.html
>>
>> Whereas this one, puts content into a file. The log should still
>> be dumped into Command Prompt.
>>
>> curl -o bbc.html https://www.bbc.com
>>
>> My WinXP computer broke two days ago (would freeze in memtest).
>> All the hardware is pulled from the computer case, the case is
>> just sitting near my shoulder, EMPTY!!! No hardwares. Can't test
>> diddly now. I'm running off Win7 at the moment, haven't moved
>> my email over, the usual mess.
>>
>> Now, we need any emergency OS with Firefox in it, on the
>> assumption it has certificates. I picked the Lite version,
>> for lower RAM consumption.
>>
>> https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso
>>
>> curl -o zorin153x86.iso https://mirror.clarkson.edu/zorinos/isos/15/Zorin-OS-15.3-Lite-32-bit.iso
>>
>> That's around 2GB, so should work in FAT32 for storage, and you
>> can burn a DVD of that for boot purposes.
>>
>> I tested in a VM, and that will boot on 512MB, but you can't
>> start Firefox unless the computer has about 1GB of RAM for "comfort".
>> Running a LiveDVD, RAM is used for scratch file space, which is
>> why these things jam up so easily.
>>
>> I can put that on a USB stick. I used rufus.ie to do a USB stick,
>> and it offered me a 26GB casper-rw persistent partition. This is
>> on a 32GB USB stick. This is an EXT partition and not just a loopback
>> mount as might be more normal (lots of persistent sticks have
>> just 4GB of storage on a bitmap file sitting on a FAT32 partition,
>> which is why they have the 4GB limit). This happens to be a Ubuntu at
>> the moment, and I can see a file stamping the stick as being
>> made by Rufus.
>>
>> --- /dev/sde
>> Block device, size 29.22 GiB (31376707072 bytes)
>> DOS/MBR partition map
>> Partition 1: 3.221 GiB (3458359296 bytes, 6754608 sectors from 2048, bootable)
>> Type 0x0C (Win95 FAT32 (LBA))
>> SYSLINUX boot loader
>> FAT32 file system (hints score 4 of 5)
>> Volume size 3.217 GiB (3454156800 bytes, 210825 clusters of 16 KiB)
>> Partition 2: 26.00 GiB (27917277696 bytes, 54525933 sectors from 6756656)
>> Type 0x83 (Linux)
>> Ext3 file system
>> Volume name "casper-rw"
>> UUID 69FD8B2A-C16A-8B42-9C60-6DDC9C4FE0E9 (DCE, v8)
>> Last mounted at "/"
>> Volume size 26.00 GiB (27917275136 bytes, 6815741 blocks of 4 KiB)
>>
>> The USB would be useful, if you've done these before, and your
>> machine has a USB boot capability. Otherwise, it's a DVD thing.
>> A DVD won't work on my first PC (1.1GHz Tualatin), and there
>> I need a CD instead (the BIOS does not grok DVD type as a hardware).
>>
>> This might not work due to github web code. But if it does, you can
>> play with using a USB stick instead of a DVD blank.
>>
>> curl.exe -o rufus315.exe https://github.com/pbatard/rufus/releases/download/v3.15/rufus-3.15p.exe
>>
>> Once you're booted into Zorin Live Lite, you can follow Shadows suggestions
>> and look at various web sites for certificate downloads.
>>
>> I don't know how far you'll get, but that's an idea of
>> how I'd try to escape the Houdini box you're in.
>>
>> Paul
>
> I understand what you did, but it's a bit of an overkill for a
> XP-only user.
>
> I just loaded the page(Palemoon - same dialogs as an old
> Firefox), got the invalid certificate warning, chose the "exception"
> (or whatever it's called)
>
> "Are you sure, you are playing with fire, you naughty person"
>
> I clicked "I LIKE playing with fire"
>
> The page opened, I downloaded the certs (pem, der AND txt -
> wasn't sure which ones I needed), then manually installed them both to
> XP and the browser.
>
> https://postimg.cc/QVbV07cG
>
> (yes, you need the certs to access Postimg)
>
> Of course, once they were working I checked the fingerprints
> at
>
> https://www.grc.com/fingerprints.htm
>
> (that uses a Digicert certificate)
>
> When you allow an exception, for all practical purposes you
> are using http ..... which can be tampered with. Best to be sure you
> got valid certs.
>
> My wget is v1.19.4, it's the last version that works with XP
> and apparently it uses the XP store of certs. It's working fine now.
>
> Incredible how many of my favorite sites broke because of the
> Let's Encrypt fsckup. Didn't realize how popular it was.
>
> PS I removed ALL references to Let'sEncrypt in my cert store
> before installing the new ones. Didn't want any conflicts.
> []'s
>
> --
> Don't be evil - Google 2004
> We have a new policy - Google 2012
> Google Fuchsia - 2021
>

I provided the info, to show that with some lucky,
you could bootstrap yourself. As long as just
a few developers remember to provide an http: path
to the goods, we'll be OK.

Nobody really has the energy to keep this stuff going forever.
It's too brittle for that.

"G.F." <nospam@grazie.it> wrote

| Hi all.
| The number of websites unusable with XP is increasing, due to the "invalid
| certificate".
| 1) is there an easy way to install other certificates on XP?.
| 2) even if the certificate is invalid, the browser offers the option to
| continue. What may be the risk of continuing?
| I don't have any problems and I don't remember doing
anything specific. I just visited majorgeeks.com. No
problems. I have FF52.9 and New Moon 28.1. But some
things you might try:

Get New Moon browser.

Set browser.xul.error_pages.expert_bad_cert to true

Set browser.ssl_override_behavior to 1

Risks? In the vast majority of cases a bad cert is likely
to be because it expired. It can also be caused when a
hosted site is using a cert that's not for its own domain.
If you plan to enter a credit card number it matters. If
you're at majorgeeks and you just want to download, then
who cares? You can also usually see in the error page why
the cert was rejected.

On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:

>Hi all.
>The number of websites unusable with XP is increasing, due to the "invalid
>certificate".
>1) is there an easy way to install other certificates on XP?.
>2) even if the certificate is invalid, the browser offers the option to
>continue. What may be the risk of continuing?

In Firefox I get "This site is untrusted", aznd in most cases I can
override it.

But in Maxthon I get this:

Avast has blocked access to https://share.social9.co/ because one of
the issuers of the server certificate has expired.

What is causing it, and can anything be done about it?

--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

On 10/6/2021 6:59 AM, Steve Hayes wrote:
> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>
>> Hi all.
>> The number of websites unusable with XP is increasing, due to the "invalid
>> certificate".
>> 1) is there an easy way to install other certificates on XP?.
>> 2) even if the certificate is invalid, the browser offers the option to
>> continue. What may be the risk of continuing?
>
> In Firefox I get "This site is untrusted", aznd in most cases I can
> override it.
>
> But in Maxthon I get this:
>
> Avast has blocked access to https://share.social9.co/ because one of
> the issuers of the server certificate has expired.
>
> What is causing it, and can anything be done about it?

Is the spelling of this

share.social9.co

correct, or is something missing ?

Paul

Steve Hayes <hayesstw@telkomsa.net> on Wed, 06 Oct 2021 12:59:39 +0200
typed in microsoft.public.windowsxp.general the following:
>On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>
>>Hi all.
>>The number of websites unusable with XP is increasing, due to the "invalid
>>certificate".
>>1) is there an easy way to install other certificates on XP?.
>>2) even if the certificate is invalid, the browser offers the option to
>>continue. What may be the risk of continuing?
>
>In Firefox I get "This site is untrusted", aznd in most cases I can
>override it.
>
>But in Maxthon I get this:
>
>Avast has blocked access to https://share.social9.co/ because one of
>the issuers of the server certificate has expired.

There was a report of one of the root certificates "expiring" (I
did not know they could do that) which will cause many "trust" issues
after 1 Oct.
>
>What is causing it, and can anything be done about it?
--
pyotr filipivich
This Week's Panel: Us & Them - Eliminating Them.
Next Month's Panel: Having eliminated the old Them(tm)
Selecting who insufficiently Woke(tm) as to serve as the new Them(tm)

On Wed, 6 Oct 2021 08:21:47 -0400, Paul wrote:
> On 10/6/2021 6:59 AM, Steve Hayes wrote:
>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>>
>>> Hi all.
>>> The number of websites unusable with XP is increasing, due to the "invalid
>>> certificate".
>>> 1) is there an easy way to install other certificates on XP?.
>>> 2) even if the certificate is invalid, the browser offers the option to
>>> continue. What may be the risk of continuing?
>>
>> In Firefox I get "This site is untrusted", aznd in most cases I can
>> override it.
>>
>> But in Maxthon I get this:
>>
>> Avast has blocked access to https://share.social9.co/ because one of
>> the issuers of the server certificate has expired.
>>
>> What is causing it, and can anything be done about it?
>
> Is the spelling of this
>
> share.social9.co
>
> correct, or is something missing ?
>
> Paul

I think it's `.com`. Not `.co`. Cause I don't think Colombia domains are
popular enough.

There doesn't seem to be a problem with its certificate when accessed from
XP.

https://www.ssllabs.com/ssltest/analyze.html?d=share.social9.com

On Thu, 7 Oct 2021 10:47:06 +0700, JJ <jj4public@gmail.com> wrote:

>On Wed, 6 Oct 2021 08:21:47 -0400, Paul wrote:
>> On 10/6/2021 6:59 AM, Steve Hayes wrote:
>>> On Fri, 1 Oct 2021 16:02:46 +0200, "G.F." <nospam@grazie.it> wrote:
>>>
>>>> Hi all.
>>>> The number of websites unusable with XP is increasing, due to the "invalid
>>>> certificate".
>>>> 1) is there an easy way to install other certificates on XP?.
>>>> 2) even if the certificate is invalid, the browser offers the option to
>>>> continue. What may be the risk of continuing?
>>>
>>> In Firefox I get "This site is untrusted", aznd in most cases I can
>>> override it.
>>>
>>> But in Maxthon I get this:
>>>
>>> Avast has blocked access to https://share.social9.co/ because one of
>>> the issuers of the server certificate has expired.
>>>
>>> What is causing it, and can anything be done about it?
>>
>> Is the spelling of this
>>
>> share.social9.co
>>
>> correct, or is something missing ?
>>
>> Paul
>
>I think it's `.com`. Not `.co`. Cause I don't think Colombia domains are
>popular enough.
>
>There doesn't seem to be a problem with its certificate when accessed from
>XP.
>
>https://www.ssllabs.com/ssltest/analyze.html?d=share.social9.com

http://share.social9.com redirects to https://shr.social9.com/

Which is a 404.
The site uses a Let's Encrypt R3 cert valid until Nov 15th
2021.
Can't find any references to the site on a Glugle search,
other than it's hosted on an Amacon server.

It's alternative https://9sh.re/shorturl

Has this in the description:

//marketing platform, audience insights, audience intelligence,
audience intel, managed service, social sharing, sharing, website
personalization, personalize website, personalization, share this,
plugins, best free plugins, widgets, best free widgets, best website
plugins, premium plugins, premium widgets, responsive tools,
responsive widgets, share buttons, facebook like, facebook share,
pinterest button, tweet button, twitter button, instagram button,
follow buttons, social buttons, social plugins, recommended content,
content widget, wordpress, joomla, blogger, get likes, get shares, get
followers//

Personally, I wouldn't trust it with or without a valid
certificate.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

On 2021-10-1 22:02, G.F. wrote:
> Hi all.
> The number of websites unusable with XP is increasing, due to the "invalid
> certificate".
> 1) is there an easy way to install other certificates on XP?.

Yes, XP can still update to the most recent OS|IE certificates. Try the tool at:
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/page/3/

And use a more recent browser:
https://rtfreesoft.blogspot.com/search/label/serpent

> 2) even if the certificate is invalid, the browser offers the option to
> continue. What may be the risk of continuing?
>

There's possibility of man-in-the-middle attack, trying to steal something from you. No risk if you do not provide personal information or install anything.

--
Regards,
Lu Wei
IM: xmpp:luweitest@riotcat.org
PGP: 0xA12FEF7592CCE1EA

On Sun, 10 Oct 2021 11:40:42 +0800, Lu Wei wrote:
> On 2021-10-1 22:02, G.F. wrote:
>> Hi all.
>> The number of websites unusable with XP is increasing, due to the "invalid
>> certificate".
>> 1) is there an easy way to install other certificates on XP?.
>
> Yes, XP can still update to the most recent OS|IE certificates. Try the tool at:
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/page/3/

The most recent Microsoft's official root certificates and certificate
revocations can be downloaded from below URLs. (long URL warning)

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Extract the contents and double-click the STL files to import them.

Because there's no XP update to support new security chipers, don't use on
internet applications that use Windows built in cryptography libraries. Most
of such applications are available for Windows platform only (i.e. non cross
platform softwares).

On 03:40 10 Oct 2021, Lu Wei said:
> On 2021-10-1 22:02, G.F. wrote:
>>
>> Hi all.
>> The number of websites unusable with XP is increasing, due to the
>> "invalid certificate".
>> 1) is there an easy way to install other certificates on XP?.
>
> Yes, XP can still update to the most recent OS|IE certificates. Try
> the tool at:
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-cert
> ificates-for-windows-xp/page/3/

Interesting old thread. Is all everything required to be done written on
that page (page three)? I don't have the stamina to go through 38 pages!

> And use a more recent browser:
> https://rtfreesoft.blogspot.com/search/label/serpent

I find MyPal (v.29) runs a bit slowly but is more compatible with sites
than Firefox v.52. Is Serpent better?

>> 2) even if the certificate is invalid, the browser offers the option
>> to continue. What may be the risk of continuing?
>>
>
> There's possibility of man-in-the-middle attack, trying to steal
> something from you. No risk if you do not provide personal
> information or install anything.

On Mon, 24 Jan 2022 at 11:45:51, Pamela
<pamela.private.mailbox@gmail.com> wrote (my responses usually follow
points raised):
>On 03:40 10 Oct 2021, Lu Wei said:
>> On 2021-10-1 22:02, G.F. wrote:
>>>
>>> Hi all.
>>> The number of websites unusable with XP is increasing, due to the
>>> "invalid certificate".
>>> 1) is there an easy way to install other certificates on XP?.
>>
>> Yes, XP can still update to the most recent OS|IE certificates. Try
>> the tool at:
>> https://msfn.org/board/topic/175170-root-certificates-and-revoked-cert
>> ificates-for-windows-xp/page/3/
>
>Interesting old thread. Is all everything required to be done written on
>that page (page three)? I don't have the stamina to go through 38 pages!
>
>> And use a more recent browser:
>> https://rtfreesoft.blogspot.com/search/label/serpent
>
>I find MyPal (v.29) runs a bit slowly but is more compatible with sites
>than Firefox v.52. Is Serpent better?

I don't think its a matter of better or worse, but that Firefox uses its
own certificate store, rather than using XP's store. (Based on a weak
understanding of what I've read here: I'm no longer on XP, and the
Firefox I use is a _very_ old one - I don't know if the one you use -
the latest that works under XP perhaps? - still uses its own store.
Certainly my ancient Firefox keeps asking this question for sites to
which Chrome has no problem.)
>
>>> 2) even if the certificate is invalid, the browser offers the option
>>> to continue. What may be the risk of continuing?
>>>
>>
>> There's possibility of man-in-the-middle attack, trying to steal
>> something from you. No risk if you do not provide personal
>> information or install anything.

It has always struck me as unusual that Firefox's "shall I store this
exception" box (i. e. allowing you to continue to use the site it thinks
has an invalid certificate, without asking every time) is pre-ticked.
Such things usually aren't, erring on the side of safety.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Does God believe in people?