September/October 2018 issue of acmqueue The September/October issue of acmqueue is out now

Subscribers and ACM Professional members login here



Web Security

  Download PDF version of this article PDF

Error 526 Ray ID: 48741a0ebc8ac5f6 • 2018-12-11 01:15:43 UTC

Invalid SSL certificate

You

Browser

Working
Newark

Cloudflare

Working
deliverybot.acm.org

Host

Error

What happened?

The origin web server does not have a valid SSL certificate.

What can I do?

If you're a visitor of this website:

Please try again in a few minutes.

If you're the owner of this website:

The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here.

acmqueue

Originally published in Queue vol. 10, no. 11
see this item in the ACM Digital Library


Tweet



Comments

(newest first)

Cris Perdue | Thu, 07 Mar 2013 17:47:53 UTC

Thanks for the lively discussion of practical issues in browser security. I especially appreciate the comments on Convergence, "Do Not Track", and clickjacking, in addition to the overview of the area.

I have a question related to same-origin policy. A lot of browser security, and privacy, issues I am aware of are most readily enabled by cross-site request capabilities of browsers, and this appears to me to include clickjacking as well as intranet hacking and browser-based cross-site user tracking.

My question is, if a page were in a mode that prohibited all cross-site requests, wouldn't that eliminate several classes of browser vulnerabilities? I picture this being done by an HTML header, and would apply to everything in the page, including scripts, images, frames, and so on. This mode could have a clear visible indicator in the browser's UI, much as SSL does today.

I see it as a way for the operators of a web site to take fuller responsibility for the content and functioning of pages, which seems like something interested users could fairly easily understand and appreciate, along the lines of "all content served by [web site operator]". This seems like a more than reasonable expectation to have of commercial services such as shopping and financial sites.

Presumably execution of JavaScript, say from an in-browser debugger or a bookmarklet, would be permitted, but irrevocably remove the mode from the page.

Thank you, Cris Perdue


Leave this field empty

Post a Comment:







© 2018 ACM, Inc. All Rights Reserved.