[BBLISA] solution to web sites with incomplete SSL cert chains

Bill Bogstad bogstad at pobox.com
Fri Sep 18 13:01:50 EDT 2015 

On Fri, Sep 18, 2015 at 12:43 PM, Edward Ned Harvey (bblisa4)
<bblisa4 at nedharvey.com> wrote:
>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Bill Bogstad
>>
>> At the most recent BBLISA meeting, there a brief discussion of
>> SSL/certs.  Unfortunately, I never asked about an issue that I had
>> recently with Firefox and certs.   It seems that
>> Firefox is not happy with this site:
>>
>> https://help.target.com/
>>
>> when I check it with one of the on-line SSL checking sites, it seems
>> that Target isn't providing a complete chain back to a root CA.   Any
>> idea how one goes about getting a web site to fix problems like this?
>>  I tried reporting it using a different browser and I got the typical
>> "reboot your computer, reinstall, etc. etc." response.
>
> Most likely, the problem is, it works for them and not for you.
> Here's why:
>
> Whenever you browse (in any browser) to https://foo, and it sends the cert chain down to you, your browser or OS keystore CACHES the chain for some f***ing reason. This is infuriating. It is guerrilla tactics, where one thing covers up for some other thing's shortcoming. Now you browse to https://bar which has a broken chain, BUT IT WORKS because your browser is able to construct the chain using cached certs.
>
> I don't know where to see it in firefox, but in IE you go to Internet Options/Content/Certificates/Intermediate. The default state, pristine from the factory, is an empty list. The more you use your computer, the more stuff appears in that list. It is safe to delete the intermediates, and necessary to diagnose this type of problem.
>
> Or just use SSLLabs. God love 'em.

I used a SSL checking site to verify the problem that Firefox
reported.   My question is: How do I shame them into fixing the
problem?  BTW, cert caching didn't help me.  Probably because my
browser (Firefox)  didn't happen to have the intermediate certificates
cached yet.   An alternative solution for me, might be a web site that
I could visit that would cache the most common intermediate certs.
It would let those bogus sites off the hook, but it would at least let
me browse the web without having to figure out certificate issues all
the time.

Bill Bogstad

More information about the bblisa mailing list