SSL Certificate for IFI Websites

Barin · August 17, 2018, 8:43pm

The SSL certificate, issued by Symantec subsidiary CA GeoTrust, in use for the websites listed below is already identified as distrusted by Chrome Canary and Chrome Dev and will be distrusted in Chrome Stable by October 16, 2018 with the release of Chrome 70.

After updating to Chrome 70, the following will appear when trying to access any of the listed websites:

IFI should replace the certificate with a trusted one for free with the information on Symantec’s site.

Affected websites (DNS names):

DNS Name: www.hexbugvex.com
DNS Name: www.girlpowered.com
DNS Name: www.vexforum.com
DNS Name: www.server-racks.com
DNS Name: www.openframeracks.com
DNS Name: openframeracks.com
DNS Name: lonestarracks.com
DNS Name: www.lonestarracks.com
DNS Name: www.nanov2.com
DNS Name: h-sq.com
DNS Name: www.circuitboards.toys
DNS Name: rack-solutions.com.au
DNS Name: www.rack-solutions.com.au
DNS Name: toyguru.com
DNS Name: www.toyguru.com
DNS Name: www.roboticseducation.org
DNS Name: racksolutions.eu
DNS Name: www.racksolutions.eu
DNS Name: www.robotevents.com
DNS Name: robotevents.com
DNS Name: sub.robotevents.com
DNS Name: content.robotevents.com
DNS Name: curriculum.vexrobotics.co.uk
DNS Name: www.vexrobotics.co.uk
DNS Name: www.innovationfirstlabs.com
DNS Name: content.vexrobotics.com
DNS Name: curriculum.vexrobotics.com
DNS Name: www.vexrobotics.com
DNS Name: vexrobotics.com
DNS Name: toyguru.com.au
DNS Name: www.toyguru.com.au
DNS Name: content.tagamoto.com
DNS Name: www.tagamoto.com
DNS Name: www.racksolutions.co.uk
DNS Name: racksolutions.co.uk
DNS Name: www.2postrack.com
DNS Name: 2postrack.com
DNS Name: content.racksolutions.com
DNS Name: ca.racksolutions.com
DNS Name: www.racksolutions.com
DNS Name: racksolutions.com
DNS Name: www.rack-solutions.ca
DNS Name: rack-solutions.ca
DNS Name: vex.com
DNS Name: www.vex.com
DNS Name: www.hexbug.com
DNS Name: content.hexbug.com
DNS Name: hexbug.com
DNS Name: iblparts.co.uk
DNS Name: www.iblparts.co.uk
DNS Name: innovationfirst.com
DNS Name: content.innovationfirst.com
DNS Name: www.innovationfirst.com

I apologize if this post seems condescending; I was merely trying to be informative and drive the urgency.

TriDragon · August 18, 2018, 3:15am

Interesting, vexiqforum is not on the list and is not secure presently by safari and chrome standards. get a nice nastygram when going to it.

Barin · August 18, 2018, 12:53pm

The VEX IQ Forum uses classic HTTP instead of HTTPS. There is no encryption in use to transmit data to and from your device and the VEX IQ Forum servers.

Google has said they would start marking such websites as unsecure in Chrome, but, rightfully so, Chrome treats HTTPS certificate issues much more seriously. In Chrome Dev for Android, I haven’t been able to actually access the VEX Forum except in incognito mode.

sazrocks · August 18, 2018, 1:37pm

Is this true for login info as well? If so, what the heck VEX? SSL is a basic part of any website’s security and to not use it, on a forum no less, is unacceptable.

Barin · August 18, 2018, 1:40pm

The login for the VEX IQ Forum is not a separate page; rather it is just part of any other page. I checked the homepage and found no TLS.

sazrocks · August 18, 2018, 1:42pm

That’s ridiculous.

Barin · August 18, 2018, 1:53pm

You can check yourself. If using Chrome, click/tap the symbol just to the left of the URL in the address bar.

sazrocks · August 18, 2018, 2:05pm

Yeah I know, I just verified that on my phone. Going to do more testing later.

sazrocks · August 18, 2018, 3:13pm

Testing complete.
Login information is easily intercepted, with usernames in plaintext and passwords in the form of an unsalted md5 hash. This needs to be fixed.

I also really hope that those hashes are salted and hashed once they reach the server. This makes me worried for the security of this forum…

system · January 3, 2020, 10:11pm