What's the invalid certificate stuff about
- Thread starter SandyCat
- Start date
-
Want to keep track of this thread?
Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
Create account
Solution
- Joined
- Jun 21, 2023
This.
The invalid certificate error is shown when your browser fails to validate your certificate. A failure in validation essentially means that your business's identity remains unverified, which is equal to not having any SSL certificate installed at all.
The invalid certificate error is shown when your browser fails to validate your certificate. A failure in validation essentially means that your business's identity remains unverified, which is equal to not having any SSL certificate installed at all.
- Joined
- Mar 1, 2020
An SSL cert is (oversimplifying here) basically like a piece of paper that says that a website is who they say they are, while also facilitating an encrypted connection to that site. An invalid SSL cert means there's no way to know that a website is who they say they are, and not a spoof site trying to impersonate the site in question to scrape your credentials or do other malicious shit. If you see https:// before a site's URL and a little lock symbol, and they have a valid cert, then you have an encrypted, secure HTTPS connection to that site, in theory. It used to be that the vast majority of sites were unencrypted HTTP, but it's gotten to the point now where unencrypted sites are actually rarer than encrypted ones.
- Joined
- Aug 7, 2021
With the Farms spinning up mirrors, there's a risk someone could put up a fake Kiwi Farms website and convince people it's the real one so they log in, thus sending their passwords to an enemy. One attack would be to post somewhere (say Twitter) that fakekiwi.net is the real site.
Another attack is if they manage to compromise the sneed.today domain to point to an IP they control, so people send passwords to the "honeypot" IP. But if they do that, then the certificate will hopefully not be valid since the enemy won't have the real one, and the web browser will warn you that it isn't right. Hence Null's advice to not ignore this warning (which people often do, thinking it's unimportant).
One problem, however, is that it's often not that hard to get a new certificate if you control a domain, so this isn't foolproof.
Another attack is if they manage to compromise the sneed.today domain to point to an IP they control, so people send passwords to the "honeypot" IP. But if they do that, then the certificate will hopefully not be valid since the enemy won't have the real one, and the web browser will warn you that it isn't right. Hence Null's advice to not ignore this warning (which people often do, thinking it's unimportant).
One problem, however, is that it's often not that hard to get a new certificate if you control a domain, so this isn't foolproof.
- Joined
- Aug 13, 2020
Almost always when you see a SSL validation error it's the website admin fucking up, but it might be someone trying to hack the target website or (less likely) you specifically. Whenever you see a SSL validation error, it's normally better to not go onwards to the website and wait for the admin to fix their shit. If you choose to proceed, bad things might happen, and definitely never enter credentials or other secret info into that site.
For example, a number of crypto sites got hacked in this way and retards who ignored the SSL validation errors that were there to protect them got fucked over.
There is an elevated chance of someone trying to hack KF in this way but it's more likely that someone sets up a honeypot site to try to capture login info - this would show up with valid SSL so it's important to remember that SSL (where there is a lock icon in your task bar) does not mean that the site is actually safe, because it could just be a totally different site that looks similar run by someone else.
There are also ways that a certificate authority can be tricked into handing over a valid certificate when they shouldn't, which bypasses all of the above, but this isn't normally seen where there isn't a huge payday involved.
For example, a number of crypto sites got hacked in this way and retards who ignored the SSL validation errors that were there to protect them got fucked over.
There is an elevated chance of someone trying to hack KF in this way but it's more likely that someone sets up a honeypot site to try to capture login info - this would show up with valid SSL so it's important to remember that SSL (where there is a lock icon in your task bar) does not mean that the site is actually safe, because it could just be a totally different site that looks similar run by someone else.
There are also ways that a certificate authority can be tricked into handing over a valid certificate when they shouldn't, which bypasses all of the above, but this isn't normally seen where there isn't a huge payday involved.
- Joined
- Dec 14, 2022
Dear Feeder left off "... on Tor". He means "Do not accept invalid certificates to access the Kiwi Farms on Tor".
Others have explained what certificates are already, but this is about ease of issuance. Clearnet certificates are free and simple to issue through e.g. letsencrypt.org however there are really only a couple of routes for getting a certificate for a .onion, so most Tor Hidden Services/Onions don't bother as the underlying transport already provides the encryption which added by the certificates on clearnet.
Because Jersh has (only just!) a third-party signed certificate for https://kiwifarmsaaf4t2h7gc3dfc5ojhmqruw2nit3uejrpiagrxeuxiyxcyd.onion and therefore it's https only, he's warning you to not go to a weird and wonderful Tor version and accept their self-signed certificates.
Others have explained what certificates are already, but this is about ease of issuance. Clearnet certificates are free and simple to issue through e.g. letsencrypt.org however there are really only a couple of routes for getting a certificate for a .onion, so most Tor Hidden Services/Onions don't bother as the underlying transport already provides the encryption which added by the certificates on clearnet.
Because Jersh has (only just!) a third-party signed certificate for https://kiwifarmsaaf4t2h7gc3dfc5ojhmqruw2nit3uejrpiagrxeuxiyxcyd.onion and therefore it's https only, he's warning you to not go to a weird and wonderful Tor version and accept their self-signed certificates.
- Joined
- Mar 1, 2020
This is true. Just because a site has a valid SSL cert and an HTTPS connection, that doesn't mean it isn't a spoof domain. It's entirely possible for someone to apply for an SSL cert for sn33d.today and appear totally legitimate and valid... for that specific fake URL. It's up to you to make sure the URL is correct.
- Joined
- Feb 19, 2018
I wanna know where the fake ones are so I can spam them with fake credentials.
- Joined
- Dec 17, 2019
Okay, I'll try to explain it as simple as possible, with some additional color coding.
An unsecured website will show a warning in the address bar and it will start with http://
A secured, encrypted website will show a closed padlock in the address bar and it will start with https://
An unsecured website will send all the data, including sensitive data like passwords in plain text and it's insanely insecure in today's world.
A secured website will send everything encrypted, so that no one can snoop in and steal any data, and it's the web standard nowadays, at least when people running a site are competent.
You should never enter any sensitive data on an unsecured website, such as logins and passwords.
It's okay to send sensitive data on a secured website as it is all encrypted and cannot be hijacked.
Remember that a secure website can also be a fake website that steals your data. All of what I just said relates to the way it works technically, so do not take it as universal advice and verify the websites you're visiting in more ways than just it's HTTPS status.
If a website is unsecure by design, it should open up without a fullscreen warning and it will say it is insecure in the address bar.
If a website is secure by design and properly configured, it should open up without a fullscreen warning and it will show a little closed padlock in the address bar. You can also click the said padlock to see some extra info about your connection.
Now, if a website is meant to be secure by design but it throws a certificate error, there are two possibilities:
a) whoever running the website failed to keep the certificate up to date and now it's invalid. It should get resolved eventually and you'll be able to enter the website with a secured connection at a later time.
b) someone is trying to do something nasty and they want to steal your information, such as your login session which the browser can give to a malicious website because it only assumes that the URL is correct.
In both cases you should NEVER bypass the warning, it is there for a reason.
As for the two warnings currently visible on top of the page:
sneed.today has been set up by Null and he has informed all the users of it's existence himself, therefore it is okay to use it until Null will say it is not because something bad happened. Otherwise no other legitimate mirrors exist currently, so if you see a KF mirror under any other URL, but you cannot find any info directly from Null that he set it up, avoid it.
In short, here are very simple guidelines on making sure that you're visiting the True & Honest Kiwi Farms:
-The official Kiwi Farms Telegram channel under https://t.me/kiwifarms (current official mirror on https://tg.josh.rs) has said it is the official site, such as the current .onion domain
-If the official Kiwi Farms Telegram channel says otherwise about the older URL and links a new one, use the new one and disregard the old one.
-You can verify that the URL belongs to Null by visiting KF through the official .onion URL, and either looking at the bottom of the page for current primary domains or visiting Null's profile to see if he announced an official mirror
-If you try to visit the official URL and you get a certificate error, do not bypass it and instead close the tab.
If you followed all those instructions, you're certain that it is Null's official URL, and after opening it it automatically connected via the secure connection, then you're ready to sneed safely.
I'm sure I'm probably not clear enough or I've forgot other important aspects, but I think for the most part it's good enough.
An unsecured website will show a warning in the address bar and it will start with http://
A secured, encrypted website will show a closed padlock in the address bar and it will start with https://
An unsecured website will send all the data, including sensitive data like passwords in plain text and it's insanely insecure in today's world.
A secured website will send everything encrypted, so that no one can snoop in and steal any data, and it's the web standard nowadays, at least when people running a site are competent.
You should never enter any sensitive data on an unsecured website, such as logins and passwords.
It's okay to send sensitive data on a secured website as it is all encrypted and cannot be hijacked.
Remember that a secure website can also be a fake website that steals your data. All of what I just said relates to the way it works technically, so do not take it as universal advice and verify the websites you're visiting in more ways than just it's HTTPS status.
If a website is unsecure by design, it should open up without a fullscreen warning and it will say it is insecure in the address bar.
If a website is secure by design and properly configured, it should open up without a fullscreen warning and it will show a little closed padlock in the address bar. You can also click the said padlock to see some extra info about your connection.
Now, if a website is meant to be secure by design but it throws a certificate error, there are two possibilities:
a) whoever running the website failed to keep the certificate up to date and now it's invalid. It should get resolved eventually and you'll be able to enter the website with a secured connection at a later time.
b) someone is trying to do something nasty and they want to steal your information, such as your login session which the browser can give to a malicious website because it only assumes that the URL is correct.
In both cases you should NEVER bypass the warning, it is there for a reason.
As for the two warnings currently visible on top of the page:
By this one Null meant that if there exists some mirror website for the Kiwi Farms, but if you cannot verify that Null himself actually set it up by going to kiwifarmsaaf4t2h7gc3dfc5ojhmqruw2nit3uejrpiagrxeuxiyxcyd.onion, which currently is the official KF Tor service, then it means it's a fake site that's designed to steal your credentials.
sneed.today has been set up by Null and he has informed all the users of it's existence himself, therefore it is okay to use it until Null will say it is not because something bad happened. Otherwise no other legitimate mirrors exist currently, so if you see a KF mirror under any other URL, but you cannot find any info directly from Null that he set it up, avoid it.
This relates to the entire tirade above. If you cannot open KF from a current official URL like sneed.today, kiwifarms.net or the aforementioned Tor URL without having an invalid certificate, do not click through that warning or you will get your login session/passwords stolen.
In short, here are very simple guidelines on making sure that you're visiting the True & Honest Kiwi Farms:
-The official Kiwi Farms Telegram channel under https://t.me/kiwifarms (current official mirror on https://tg.josh.rs) has said it is the official site, such as the current .onion domain
-If the official Kiwi Farms Telegram channel says otherwise about the older URL and links a new one, use the new one and disregard the old one.
-You can verify that the URL belongs to Null by visiting KF through the official .onion URL, and either looking at the bottom of the page for current primary domains or visiting Null's profile to see if he announced an official mirror
-If you try to visit the official URL and you get a certificate error, do not bypass it and instead close the tab.
If you followed all those instructions, you're certain that it is Null's official URL, and after opening it it automatically connected via the secure connection, then you're ready to sneed safely.
I'm sure I'm probably not clear enough or I've forgot other important aspects, but I think for the most part it's good enough.