SeaMonkey 2.53.15 cannot establish a secure connection to
https://www.westlotto.de/ because the authenticity of the received data
cannot be verified. According to the error message, the error should lie
with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
the page correctly, Edge has no problem with the page either. Is there a
way to work around the error in SeaMonkey 2.53.15 or does anyone have
SeaMonkey 2.53.16 Beta in use and can test if the page works there.

Peter

Peter45 wrote:
> SeaMonkey 2.53.15 cannot establish a secure connection to
> https://www.westlotto.de/ because the authenticity of the received data
> cannot be verified. According to the error message, the error should lie
> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
> the page correctly, Edge has no problem with the page either. Is there a
> way to work around the error in SeaMonkey 2.53.15 or does anyone have
> SeaMonkey 2.53.16 Beta in use and can test if the page works there.
>
> Peter
>

I have just called up that page - both under private mode and normal -
and had no problems with it, as you can see I have the same level of
Seamonkey as you. My only add-on is "uBlock Origin" although it claims
not to have blocked anything on that tab anyway.
Try clearing cache?

Peter45 wrote:
> SeaMonkey 2.53.15 cannot establish a secure connection to
> https://www.westlotto.de/ because the authenticity of the received data
> cannot be verified. According to the error message, the error should lie
> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
> the page correctly, Edge has no problem with the page either. Is there a
> way to work around the error in SeaMonkey 2.53.15 or does anyone have
> SeaMonkey 2.53.16 Beta in use and can test if the page works there.

I see a horrible lottery site, I don't see the error (this is with
NoScript enabled), I don't even want to go near it without NoScript.

"Key Pinning" is to do with trying to stop "Man in the Middle" attacks.

Am 30.03.2023 um 11:55 schrieb Don Spam's Reckless Son:
> Peter45 wrote:
>> SeaMonkey 2.53.15 cannot establish a secure connection to
>> https://www.westlotto.de/ because the authenticity of the received data
....
>
> I have just called up that page - both under private mode and normal -
> and had no problems with it, as you can see I have the same level of
> Seamonkey as you. My only add-on is "uBlock Origin" although it claims
> not to have blocked anything on that tab anyway.
> Try clearing cache?
>

Thank you very much for the answers. I have cleared the cache, deleted
the site cookies and also tested safe mode, yet I still get the error on
three different machines. An acquaintance gets this error on his two
computers as well. As an add-on I have also installed only uBlockOrigin.
In a new profile the page works without problems. Does anyone else have
an idea? Otherwise I will have to edit the prefs.js again, which is
unfortunately always very time consuming.

Peter

gerry 666uk wrote:
> Peter45 wrote:
>> SeaMonkey 2.53.15 cannot establish a secure connection to
>> https://www.westlotto.de/ because the authenticity of the received data
>> cannot be verified. According to the error message, the error should lie
>> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
>> the page correctly, Edge has no problem with the page either. Is there a
>> way to work around the error in SeaMonkey 2.53.15 or does anyone have
>> SeaMonkey 2.53.16 Beta in use and can test if the page works there.
>
> I see a horrible lottery site, I don't see the error (this is with
> NoScript enabled), I don't even want to go near it without NoScript.
>
> "Key Pinning" is to do with trying to stop "Man in the Middle" attacks.
>

You and I use Linux, Peter45 uses Windows (10 or 11). I'd say that his
problem has something to do with his virus scanner except that it works
with a new profile and/or a different version of Seamonkey.

Peter45 wrote:
> SeaMonkey 2.53.15 cannot establish a secure connection to
> https://www.westlotto.de/ because the authenticity of the received data
> cannot be verified. According to the error message, the error should lie
> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
> the page correctly, Edge has no problem with the page either. Is there a
> way to work around the error in SeaMonkey 2.53.15 or does anyone have
> SeaMonkey 2.53.16 Beta in use and can test if the page works there.
>
> Peter

It works for me with 2.53.15 (Win7) but my UA is probably different than
yours.
User agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
Firefox/60.0 SeaMonkey/2.53.8
Build identifier: 20230108192628

Am 30.03.2023 um 23:06 schrieb Paul in Houston TX:
> Peter45 wrote:
>> SeaMonkey 2.53.15 cannot establish a secure connection to
>> https://www.westlotto.de/ because the authenticity of the received data
>> cannot be verified. According to the error message, the error should lie
....

> It works for me with 2.53.15 (Win7) but my UA is probably different than
> yours.
> User agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
> Firefox/60.0 SeaMonkey/2.53.8
> Build identifier: 20230108192628
>

Thanks for the hint. Since I have since found (see my second message
from yesterday) that the page works with a new profile, but not in safe
mode or with cleared cache and cookies, the error must lie somewhere else.

Peter

Am 30.03.2023 um 20:18 schrieb Peter45:
> Am 30.03.2023 um 11:55 schrieb Don Spam's Reckless Son:
>> Peter45 wrote:
>>> SeaMonkey 2.53.15 cannot establish a secure connection to
>>> https://www.westlotto.de/ because the authenticity of the received data
> ...
>>
>> I have just called up that page - both under private mode and normal -
>> and had no problems with it, as you can see I have the same level of
>> Seamonkey as you. My only add-on is "uBlock Origin" although it claims
>> not to have blocked anything on that tab anyway.
>> Try clearing cache?
>>
>
....
Hi all, it's not the prefs.js, even with old versions of prefs.js, an
"empty" version and the version from a new profile that has no problems
with the westlotto page, the page does not work in the current profile.
Clearing cache and cookies had not helped either, as an extension I only
have uBlockOrigin. Since safe mode does not work either, it should not
be because of that. I do not have a user.js in use. Does anyone have an
idea where (in the profile) I could still look for the error?

Peter

Peter45 wrote:
> SeaMonkey 2.53.15 cannot establish a secure connection to
> https://www.westlotto.de/ because the authenticity of the received data
> cannot be verified. According to the error message, the error should lie
> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
> the page correctly, Edge has no problem with the page either. Is there a
> way to work around the error in SeaMonkey 2.53.15 or does anyone have
> SeaMonkey 2.53.16 Beta in use and can test if the page works there.
>
> Peter

The error code relating to "key pinning" suggests that the website has
previously indicated that it will always use a particular key to
authenticate connections, at least until a particular time in the
future, but is now trying to authenticate with a different key. The
fact it's now using a different key may be because the connection has
been intercepted and you're not connecting to the genuine server, so the
browser refuses to connect. Or, it could be that the genuine server's
keys have been changed despite having previously indicated that it
wouldn't do that yet. That also fits with it working for other people
(and for you with a new profile) who have not previously visited the
site, so haven't previously seen a response from that server pinning it
to the old key.

As for what to do about it... Not having visited the site before, I
don't have that cached information which is causing the problem for you,
so I can't be absolutely sure of where to find and remove it. A couple
of possibilities:

1. Edit > Preferences > Privacy & Security > Certificates > Manage
Certificates. Perhaps pinned certificates show up somewhere there,
perhaps on the "Servers" tab. If you can see a certificate specifically
for westlotto.de, you could try deleting it. DO NOT go deleting or
disabling other certificates though, otherwise you'll end up being
unable to connect to anything!

2. I've also seen indications that this key pinning might be recorded in
the "SiteSecurityServiceState.txt" file in your profile.
* You'll probably need to exit SeaMonkey before editing the file.
* Make a backup copy of that file before messing with it, just in case.
* Then, look for a line for westlotto.de or www.westlotto.de and
delete it.
* Restart SeaMonkey and see if you can connect.

It looks like this key pinning probably works by the server including
"public-key-pins" headers in its responses. It also looks like use of
that header is no longer recommended due to problems like this, and has
been removed from most recent browsers. SeaMonkey, of course, is based
on quite an old version of Firefox, and evidently still supports it.

Further information (some of it a bit technical, so depends how familiar
you are with HTTP headers):
* <https://www.geeksforgeeks.org/http-headers-public-key-pins/>
*
<https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#public-key-pins-hpkp>
*
<http://www.devdoc.net/web/developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins.html>

--
Mark.

Am 31.03.2023 um 16:59 schrieb Mark Bourne:
> Peter45 wrote:
>> SeaMonkey 2.53.15 cannot establish a secure connection to
>> https://www.westlotto.de/ because the authenticity of the received data
>> cannot be verified. According to the error message, the error should lie
>> with the operator of the page. However, SeaMonkey 2.53.17b1pre displays
>> the page correctly, Edge has no problem with the page either. Is there a
>> way to work around the error in SeaMonkey 2.53.15 or does anyone have
>> SeaMonkey 2.53.16 Beta in use and can test if the page works there.
>>
>> Peter
....
>
> 1. Edit > Preferences > Privacy & Security > Certificates > Manage
> Certificates. Perhaps pinned certificates show up somewhere there,
> perhaps on the "Servers" tab. If you can see a certificate specifically
> for westlotto.de, you could try deleting it. DO NOT go deleting or
> disabling other certificates though, otherwise you'll end up being
> unable to connect to anything!

I had already searched at this point, but when I click on the button
Manage certificates, nothing happens. The button seems to be without
function.

>
> 2. I've also seen indications that this key pinning might be recorded in
> the "SiteSecurityServiceState.txt" file in your profile.
> * You'll probably need to exit SeaMonkey before editing the file.
> * Make a backup copy of that file before messing with it, just in case.
> * Then, look for a line for westlotto.de or www.westlotto.de and
> delete it.
> * Restart SeaMonkey and see if you can connect.

That's it, thank you very much for pointing it out. Now I can access the
page again without any problems. I did not know the file until now.

Peter

Am 01.04.2023 um 20:39 schrieb Peter45:

> ...
>>
>> 1. Edit > Preferences > Privacy & Security > Certificates > Manage
>> Certificates. Perhaps pinned certificates show up somewhere there,
>> perhaps on the "Servers" tab. If you can see a certificate specifically
>> for westlotto.de, you could try deleting it. DO NOT go deleting or
>> disabling other certificates though, otherwise you'll end up being
>> unable to connect to anything!
>
> I had already searched at this point, but when I click on the button
> Manage certificates, nothing happens. The button seems to be without
> function.

Addendum: After I deleted the westlotto lines in the
SiteSecurityServiceState.txt file, the Manage Certificates button works
again. :-)

Peter