Invalid SSL Certificate for MacRumors.com

Yeah, looks like wrong cert totally, not the usual someone let it expire.

 

Probably doing work.. something like that rarely gets over looked. Not that it matters, their is absolutely no reason to need SSL on a site like this, I think people assume they need it, and sites like this, and everyone else hops on board, wasting money, and configuring the crap because the public doens't really know what it does.

 

Exactly. *Maybe* the login box should use it. Maybe. Anything else, who cares.

 

Thank you! You have NO IDEA how many people go to one of my sites and email us saying " no ssl, i refuse to use your website ", and i'm talking static sites here! Ugh, I hate how uneducated the internet users are becoming with tech that doesn't involve a watch, a phone, or a tablet

haha!

 

MacRumors isn't static, but their is -nothing- here that would even apply to that. it's an open forum, where communication is shared openly. If it's altered, we'd know. Instant messages ( maybe ), but even then not happening, knowing the person sending, timing, etc. Those types of attacks are dated, and really don't even apply.

So as the last guy said, maybe on the login system, but no offense, i think i'd survive if someone managed to grab my username and password from mac rumors. Even then, it's a stretch, a big one.

 

The cert in place has about 30 names on it for all sorts of things; I'm not sure what happens; perhaps the hosting company messed up? Anyone can see all the sites the cert is for, use your browser and look for the 'more info' on the certificate when you come here using SSL. Someone really messed it up, and perhaps no one ever checked it because no one uses SSL with MR.

 

To the best of my knowledge, MacRumors doesn't use SSL on the site, so you shouldn't use https in the address bar. @arn can verify this of course.

 

Right, could be things bleeding over from other sites hosted at the same place.

 

Tell that to Apple which in iOS 9 will automatically try to perform any web traffic using https and reject http-only servers (unless the application takes specific action to allow such traffic). The safest method is to use https for everything. Much safer than deciding which sites need https and which sites don't, and getting it wrong.

 

@SandboxGeneral is correct. www.macrumors.com is not configured to use SSL certificates so if you try to visit the secure version of the site, you'll get that "error". you will also get that "error" if you try to visit any other site that is not configured/has SSL disabled (ex: cnn.com)

 

I am a web developer and the entire industry is shifting towards HTTPS for a number of reasons:

• It prevents man in the middle attacks, you know the website your visiting has the content that you expect. A man in the middle could inject malicious code into the webpage that captures the username and password you enter to login to the forum. They could then try to use the login details on other sites to get access to you amazon account, your itunes account etc.
• For websites to take advantage of many of the new features in browsers they will have to use HTTPS, a new technology called ServiceWorker for example insist on HTTPS. ServiceWorker is the tech that allows websites to send push notifications, store content offline on your device etc.
• Even more important, HTTP2, the faster protocol for loading content across the internet requires HTTPS so to load sites faster the website needs to use HTTPS.

There are so many other reasons to use SSL that i wont list here, but its not about jumping on the bandwagon, its something all websites need to do.

There is a big initiative at the moment to make all websites use HTTPS, and part of it is a thing called Lets encrypt https://letsencrypt.org/ which allows people to install SSL (HTTPS) on their site for free.

 

Pretty pathetic for a site with millions visitors per month to not have a valid SSL certificate.

 

Perhaps you missed or misunderstood the actual discussion and its findings in this thread?

 

to fix this open Terminal and run:

IT's Globalisgn's fault, they explain why they ****ed it up on this pdf https://downloads.globalsign.com/ac.../-/globalsign-incident-report-13-oct-2016.pdf