HTTPS pages not secure

Hi,
I have this problem ...

opera shows "insecure connection" for some HTTPS sites (eg. GMail.com, Facebook, Opera Bookmarks)
and it says "the server attempted to apply security measures, but failed" or
"The server does not support secure TLS renegotiation. The site owner should upgrade the server."

Opera Mail is weird ... when I open Opera Mail from link on this site, it shows insecure,
when I refresh that page, it is secure

some other HTTPS work ... why?

it is the same in latest Opera 11.52 and 12

after some research ... there must be something wrong in the system,
I tried that on my second laptop and everything is fine ...

so, question is - how it is connected with root certificates or such?

Originally posted by z-o-o-m:

"the server attempted to apply security measures, but failed"

I get that, too

I am getting mixed signals with Opera and HTTPS pages, and it doesn't make sense from a user's point of view.

Some HTTPS pages Opera will deem as insecure with the reason given "The server does not support secure TLS renegotiation. The site owner should upgrade the server."

Here's where it gets weird! Other HTTPS pages Opera will deem as secure, even though when I click on "Details" it gives me the same message about the lack of TLS renegotiation!


Here are some examples of this inconsistency:

The following pages are considered insecure by Opera because "The server does not support secure TLS renegotiation. The site owner should upgrade the server":

* PayPal: https://www.paypal.com
* Amazon: http://www.amazon.com (click on "Sign in")
* eBay: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn


However, these pages are considered secure by Opera, yet they have the same problem about the lack of TLS renegotiation:

* Facebook: https://www.facebook.com
* Bank of America: https://www.bankofamerica.com
* Scroogle: https://ssl.scroogle.org
* GRC (the irony!): https://www.grc.com/dns/dns.htm


What's going on? Does Opera have different standards for different web sites? How fair is it if some web sites go the extra effort to support TLS renegotiation, yet other sites don't and they still get the seal of approval from Opera?

As far as I know currently the state of a server's TLS renego patch has no influence on Opera's grading of a site — the message you see is purely for reference (too many sites don't support it yet for Opera to start removing their secure status.)

This means something else is in play. Try installing a standalone copy of Opera in a new folder (it won't affect your current install if you do it that way) to see if the problem is in your current Opera install's certificate store or if something external is breaking things, be it a poorly implemented proxy system interfering where it shouldn't, or a man-in-the-middle attack.

Originally posted by flansuse:

The following pages are considered insecure by Opera because "The server does not support secure TLS renegotiation. The site owner should upgrade the server":

* PayPal: https://www.paypal.com
* Amazon: http://www.amazon.com (click on "Sign in")
* eBay: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn

All of these show up fine in 11.60

Please note that both inclusion of unsecure items in a secure page, and temporary problems with revocation checking can cause the secure indication to disappear, as well as other reasons. The first is the responsibility of the website to avoid, the second (which can have many reasons, usually benign, but does include active attacks on your connection) will usually disappear after a while, although there is a delay of some hours to avoid hammering the relevant servers.

If a site shows the "Renego patch missing" indication that means that the site has not yet provably fixed a security problem that was discovered two years ago, and patched a few months later (19+ months ago).

Originally posted by BtEO:

As far as I know currently the state of a server's TLS renego patch has no influence on Opera's grading of a site — the message you see is purely for reference (too many sites don't support it yet for Opera to start removing their secure status.)

This means something else is in play. Try installing a standalone copy of Opera in a new folder (it won't affect your current install if you do it that way) to see if the problem is in your current Opera install's certificate store or if something external is breaking things, be it a poorly implemented proxy system interfering where it shouldn't, or a man-in-the-middle attack.

Interesting, because I thought the lack of TLS renegotiation was the reason a site is marked as insecure, since it follows the message "The following problem(s) were found." This message does not precede a site that is marked as secure.

I downloaded a copy of Opera 11.52 in .tar.xz format, extracted it to its own directory, and ran Opera with a fresh profile. You seem to be on to something, since those same sites are now marked as secure! What could have possibly changed in my main profile? I did not configure any proxies. How can I check for corruption in the certificate store? Maybe this will also alleviate the OP's problems with "The server attempted to apply security measures, but failed," which I also get as well on some random HTTPS pages.

Originally posted by flansuse:

Interesting, because I thought the lack of TLS renegotiation was the reason a site is marked as insecure, since it follows the message "The following problem(s) were found."

That is because the Renego message is automatically listed in that dialog when it is present for a server, regardless of whether it is a Secure, EV-trusted or a problematic site. At present not all discovered issues are listed in the field, particularly mixed security and CRL failures, so the information is not complete. When a site develops a problem it just get listed along with everything else under the "problem" header.

Originally posted by flansuse:

This message does not precede a site that is marked as secure.

You will see the Rengo message on all sites that have not been patched, e.g. https://www.facebook.com/ .

Originally posted by flansuse:

What could have possibly changed in my main profile?

A CRL failure is usually temporary, frequently lasting just seconds, and will be gone the next time. Restarting Opera will clear the temporary "don't check" flag set for the problematic revocation information. There have been cases where such problems have lasted for longer (some have even been geographically limited due to use of mirrors), but those usually get fixed quickly, once reported in forums or bug reports and forwarded to the CA.

Originally posted by flansuse:

How can I check for corruption in the certificate store?

Certificate store corruption that cause certificates to disappear always cause warning dialogs to be displayed.

Originally posted by flansuse:

"The server attempted to apply security measures, but failed," which I also get as well on some random HTTPS pages.

These are usually mixed security pages, including unsecure resources in secure pages. A bit of research in the info panel or with Dragonfly usually locates the problem resource quickly.

Thank you for the thorough reply, yngve! Here is what I have observed:

If I clear all private/temporary data and restart Opera, the problem (as described above) still persists. If I disable javascript, then all the above "insecure" pages are now considered "secure". Re-enabling javascript brings back the status of "insecure". What would javascript have to do with the validity of an HTTPS page?

With the fresh copy of Opera 11.52 (new profile), even with javascript enabled, no such issues existed.

Originally posted by flansuse:

What would javascript have to do with the validity of an HTTPS page?

Extensions and user javascripts have been known to interfere with the security level of a document. You might want to check if you have any such installed, and if so determine if any of them are interfering.

A badly designed javascript on a site could also reference unsecure resources, and it is not unknown that sites have included unsecure external Javascripts (I doubt any of the mentioned ones would have done that) which is is a serious security problem for the site.

Originally posted by yngve:

Originally posted by flansuse:

What would javascript have to do with the validity of an HTTPS page?

Extensions and user javascripts have been known to interfere with the security level of a document. You might want to check if you have any such installed, and if so determine if any of them are interfering.

I notice this issue (insecure HTTPS with javascript enabled) on 3 different machines, but I have no extensions installed, and I do not know of any user javascripts I am using. I reset urlfilter.ini, and that made no difference. I changed different options under Security, and that made no difference. I cleared all history/cache, and that made no difference. Yet, on all 3 machines, if I run a fresh copy of Opera with a new profile, I can leave javascript enabled and still have the page reported as secure.

This is hard to pin-point, but the fact of the matter is on 3 separate machines, somehow HTTPS pages are marked as insecure, but due to what changes in my options?

Is it fair to assume that any appearance and style options shouldn't interfere with the security of a web page?

I am very lost at this point. I want to be able to use my main profile to access Paypal, Amazon, and other secure pages without wondering whether or not it has been compromised (or it's just a bug/glitch in my settings.)

Originally posted by flansuse:

This is hard to pin-point, but the fact of the matter is on 3 separate machines, somehow HTTPS pages are marked as insecure, but due to what changes in my options?

Try deselecting Enable plug-ins only on demand. On Gmail it restores showing the HTTPS page as secure, though it may be an anomaly.

Originally posted by CraigPD:

Originally posted by flansuse:

This is hard to pin-point, but the fact of the matter is on 3 separate machines, somehow HTTPS pages are marked as insecure, but due to what changes in my options?

Try deselecting Enable plug-ins only on demand.

How on earth? That actually works! In fact, if I disable plugins entirely, it works as well!

So it works under either of these two conditions:
* Plugins are enabled (on-demand is disabled)
* Plugins are not enabled

But it breaks under this condition:
* Plugins are enabled (on-demand is enabled)

And yet, it works under this condition:
* Plugins are enabled (on-demand is enabled), but no plugins are found (e.g, removed the path to Flash)

Incredible. I can't even understand at this point. Is it that the sites have a Flash object somewhere, and if it's automatically loaded (on-demand disabled) Opera can verify a secure connection, yet if it's blocked (on-demand enabled) Opera cannot verify a secure connection? And yet, if Flash is not detected (plugins are not enabled / Flash not in plugin path) Opera can verify a secure connection?

This seems bizzare to me, since I use the same thing under Google Chrome: load plugins only on demand.

After playing around some more with Opera and other browsers, I'm starting to believe this "insecure HTTPS" thing is a fault on Opera's end. There might be an issue/coding error with the "on-demand plugin" feature under Opera.

There is IIRC an issue with the security level and the default plugin functionality

and now the most funny part

when I login to PayPal, it is insecure ... but!
when I check some PayPal transaction, it is secure ... LOL

EDIT:
I deleted all old Opera settings folders and it seems everything works fine again,
so there must be some problem in the certificate store or such ... weird that it did NOT
work before (even Opera 12 had this issue)

EDIT2:
this is LOL even more - I returned old settings back (no change there) and now all sites
work correctly!

I have the same message "the server attempted to apply security measures, but failed" on my internetbanking site https://ib24.csob.cz/ (the icon jumps green first, but then turns grey) in Opera 12.01.
Site is "secure" in Opera 11.60 and works fine.

I disabled the "Enable On Demand Plugin" option with no change. If I turn plugins off, nothing changes, if I turn Javascript off the site is secure, but as it requires Javascript to work I can't use it.

Do I remember it right, that if browser declares site as not secure, the data actually are not sent securely (are not encrypted or something)? I mean like if I had a certificate that is signed by certificate authority, which is trusted, but it's not in the list of trusted authorities, so then browser tells me it's not a secure connection, does it only warn me and then proceed as if it was secure, of just decides that if it's not secure, then why bother to encrypt? Are my data in danger then? Or the similar situation on my e-banking site?

(got a note that in 12.5 weekly it is also secure, is it a bug?)

WTF - seriously?

I just noticed this happening in a bunch of sites I've been logging into - including one .gov site where I just entered some sensitive data.
Can someone confirm that the data was actually encrypted?

I was getting this message
"the server attempted to apply security measures, but failed"

EDIT: there was no warning here - I just noticed that the padlock color was weird

I also saw it on yahoo sign in as well as my ISP webmail. Couple of other sites as well.
You can tell I'm seriously pissed off if the data was not encrypted

I deleted my cache/cookies etc (all pvt data except open tabs) and then the site were showing green/yellow (i.e. good)

This may just be the last straw for with regard to using Opera - I've been a user since V2.1


Version 12.01
Build 1532
Platform Win32
System Windows 7
XHTML+Voice Plug-in not loaded

Browser identification

Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.289 Version/12.01

Same problem with Linux version, since 12.01 I think. Clearing the disk cache fixed some sites; clearing the memory cache by re-starting Opera fixed the rest.

Version 12.01
Build 1532
Platform Linux
System i686, 3.2.0-0.bpo.2-686-pae
Opera/9.80 (X11; Linux i686; U; en) Presto/2.10.289 Version/12.01

Originally posted by Trof:

Do I remember it right, that if browser declares site as not secure, the data actually are not sent securely (are not encrypted or something)? I mean like if I had a certificate that is signed by certificate authority, which is trusted, but it's not in the list of trusted authorities, so then browser tells me it's not a secure connection, does it only warn me and then proceed as if it was secure, of just decides that if it's not secure, then why bother to encrypt? Are my data in danger then? Or the similar situation on my e-banking site?

I've just found this thread. I started to use opera a few days ago and sent my credit card number to a web shop over connection that (I later noticed) deemed not secure unencrypted by opera (while always being marked as secured in another browser). Is my credit card number now compromised?

Opera 12.01 claims that an https connection to Bank Austria is neither encrypted nor safe. Clicking to the left of the address field, and then on "details" renders a message saying something like the server tried to establish a secure connection, but failed. The problem can be resolved by purging the disk cache.
Operating system: Windows Vista x86
Browser: Opera 12.01 b. 1532 32-bit

Yes I see threads on how to sort of fix it but at the moment I am concerned about my credit card number.
The question is if it was sent unencrypted or not at all or despite opera's warning, encrypted?

It is really weird issue and it last for half a year now (I wonder why Opera team didn't solve that). When I clear my disc cache and refresh the page it is recognized as secured. However when I close tab and reopen it again it is not secure any more. Anybody knows why Opera team didn't solved that issue?

Originally posted by sbelus:

It is really weird issue and it last for half a year now (I wonder why Opera team didn't solve that). When I clear my disc cache and refresh the page it is recognized as secured. However when I close tab and reopen it again it is not secure any more. Anybody knows why Opera team didn't solved that issue?

I gave up for the moment, since only the Opera browser gives me inconsistent and odd results with HTTPS pages. You have to do some strange ritualistic dance with toggling plugins, toggling on-demand, toggling javascript, cleaning the cache, et al. For those web sites, I just use Google Chrome or Firefox. I find it ironic, since Opera is dubbed as the browser that takes security the most seriously.

Using 12.01 here.

I'm sure the people that operate the US government payments page at https://www.eftps.gov would love to hear that their page is "not secure".

I just noticed this.

What is particularly aggravating is that it gives NO hint which 'measures' failed. What is the point of that other than making it impossible to track down the problem and fix it?

Yes, Opera historically has done a better job of security than other browsers. But it's getting to be a Chicken Little situation by proclaiming half the web "insecure" these days. (Even though I'm guessing the problem here has to do with some sort of bug (based on Yngve's cryptic comment from 2011-12-01) or extensions issue.

Originally posted by pjk0:

What is particularly aggravating is that it gives NO hint which 'measures' failed. What is the point of that other than making it impossible to track down the problem and fix it?

Hence, this complaint: http://my.opera.com/community/forums/topic.dml?id=1482592

Starting to notice a pattern?

Originally posted by flansuse:

Starting to notice a pattern?

Yep, seems I'm not the first one to complain about this. ;-)

It's getting to where almost every SSL site I access now is displaying that message.

I'm wondering if some of my extensions are responsible - I just started getting enamored of some of these, and am starting to install the following on most of the Opera installations I manage:

WOT
Ghostery
Opera AdBlock


I also have the following installed on some machines:

TinEye reverse image search
Unshorten
Find Matching Images

As far as I know, I don't have any of those set to allow interaction with SSL pages.

Perhaps just grasping at straws here.

Extensions are not responsible for this problem; although there have been cases where bugs in extensions have caused similar issues.

The present problem is due to a revocation cache management bug (now fixed), which is why deleting the cache and restart works. It will start showing within a few hours for some sites, and within 7 days it will affect all secure sites.

Originally posted by yngve:

The present problem is due to a revocation cache management bug (now fixed), which is why deleting the cache and restart works. It will start showing within a few hours for some sites, and within 7 days it will affect all secure sites.

Thanks Yngve.

So should I assume that we will see a fix for this in 12.02?

Going to go clear cache and see how that works. Thanks.

Originally posted by yngve:

The present problem is due to a revocation cache management bug (now fixed), which is why deleting the cache and restart works.

That means it was a bug on Opera's revocation server?

Originally posted by Swapnil99pro:

That means it was a bug on Opera's revocation server?

Opera does not have a revocation server; every installation have a cache sub directory containing the revocation information for each OCSP and CRL response downloaded. There was a bug in the handling of that cache.

Originally posted by yngve:

There was a bug in the handling of that cache.

That means it would be fixed in an upcoming Opera 12.0x snapshot?

EDIT: Is it CORE-48069?

Originally posted by Swapnil99pro:

EDIT: Is it CORE-48069?

Yes

yngve, Thanks.

Cleaning the cache fixed the problem here too. Thanks!

Opera Desktop Team - Approaching Opera 12.02 Final .

Of particular importance is CORE-48069, which fixes an issue where secure pages would be shown as not being secure. Let us know if secure sites seem to work correctly now, or if you are able to spot any new problems.

Changelog

• CORE-48069 Opera isn't connecting correctly to secure pages