Closed al-indigo closed 5 years ago
Strange, we use Cloudflare for SSL on this site and from our view looks all ok.
https://www.sslshopper.com/ssl-checker.html#hostname=https://apiblueprint.org/
Here's what I see (I have checked from several different computers with Mac Os X and Linux, Chrome/Vivaldi/Firefox)
Firefox also tells me that cert is valid for ip 104.28.25.8 only (there should be domain name usually, not an IP address) and it tells that the issuer certificate is unknown.
Can I check it in some other way and show you? Here is the info I see about the certificate:
And here's what Firefox said:
Peer's Certificate issuer is not recognized.
Форсированное защищённое соединение HTTP (HSTS): false Привязка открытого ключа HTTP (HPKP): false
Цепочка сертификата:
-----BEGIN CERTIFICATE----- MIICzDCCAbQCFGY3BuPe6t1A9CfVdiSYD9L26zu5MA0GCSqGSIb3DQEBBQUAMC8x CzAJBgNVBAYTAlJVMQ8wDQYDVQQIDAZNb3Njb3cxDzANBgNVBAcMBk1vc2NvdzAe Fw0xNjA0MTkwOTAxMjZaFw0xNzA0MTkwOTAxMjZaMBYxFDASBgNVBAMMCzEwNC4y OC4yNS44MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbKAiEnlHYra kjdHROklAz05e6paX/gfK41AEmXX6Mq26KtrHhKYR9Hgdt2tEXbAplZEuJYneNd5 d+juYqCsRvD0wbXgt5pQ5vCMJrlnrtik4KF0kxKYX02V5J8rRBS6BPluAd5yPMcy 9pMVjq19koUrdIYVsqsGxEPY9cHj62eeQsZKvTXagAYw2P+B6gASLfTb9+c6PO3E BUOrdPuIPWnui8+b5bvb4vz1kYrgJhv6hZ+/0JBAiCPo+V7H5UzI4/DEPlsDBjuH Rsb2pZ1w0ykx97FliVrfDo6FsmnYo67IGD+4DGXwbZUbe2vszp70Zl0Qsv/F43LF +fsquSH97wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBRpiyilKLRSuqj6MnDRc7D QSqB2OBy+N3Bx1oH6masbrzAvQbF3VFN9RCWEAejteWpT91SYrGLuTsdZXQ5LIZj fl6Nge2ZCLErV0YPMjo6GfF8k4mD0H7/rfYY6odr+zwiuDdmPPNqe90013T9nIgz KezLPHDxs3WnLVIjAtsrsEptRygHTD70nXp/xoXmhaPB3Gapc8i+VIb4IdKbkG2E T4DeEdMQRatr2sXRWqmaqMsR8b1JJio4gPNL1u8X8+mbkYNeVxZbxbwXQZGURNvs Hm3b/3WS25v8k35YYCyQD8PJQ9RB8Ut+XA6NRvG5r9G8ifHuKaAm3ioQ8OarXgxB -----END CERTIFICATE----- `
I will contact Cloudflare support if they can solve this problem. Thanks for report.
@al-indigo Could you please also sent IP and country you are accessing the site from? Thanks!
83.149.199.196, Russia (it's Institute for system programming RAS)
@al-indigo can you to http://apiblueprint.org/cdn-cgi/trace and please here output?
@abtris Almost the same thing (see the screenshot). Also I noticed that the problem is related to our network provider, but I don't get why could it be — the address is correct, ip seems to be correct too and it's not any kind of virus — the same behaviour is seen on lots of computers (with different OS).
Hm, I'm almost sure that it's our provider tricks, I'll try to contact them and reply to you
That url is without HTTS only HTTP, try again.
fl=32f58 h=apiblueprint.org ip=85.142.16.26 ts=1465981144.643 visit_scheme=http uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Vivaldi/1.1.453.59 colo=ARN spdy=off http=http/1.1 loc=RU
Thanks, I send info to Cloudflare.
Cloudflare support thing there is problem with your server: squid
- local proxy server at your end. I think there can be problem with caching.
I have some news.
Actually it appeared that our "censor" organ https://rkn.gov.ru/ has added this IP address to forbidden list on the territory of Russian Federation. That explains why I can go to http site: for unencrypted connections they parse HTTP headers and destination so I can go through.
Nethertheless if I go through https/ssl, they can not decrypt the traffic, so when provider detects that I go to forbidden IP, they are making MITM attack and try to pass me through their squid server. And that ruins the connection because it's actual MITM attack. Most of russian providers act like this (the second strategy is to change DNS entries for domain name and it causes the same consequences).
The reasons for the whole thing are:
As I can see it, the only way to fix it is to ask Cloudfare to place your site under another IP-balancer that is not blocked. In the other case the only way to see your site from most of Russian providers is to use vpn/proxies/tor
@al-indigo Thank you very much for this. We'll pass it to Cloudflare, and we'll also think about other ways how to decouple us from their network.
I feel for you with regards to the censorship, unfortunately there isn't much we can do with that. We'll try our best to think about how to circumvent it.
I don't thinks this is still applicable, we've moved this particular domain away from CloudFlare and now it's hosted from GitHub pages:
$ curl https://apiblueprint.org/ -I
HTTP/2 200
server: GitHub.com
Providing you can access this GitHub (this issue) I would imagine that the site is now accessible for you, if you are still seeing any problems please let us know and we can reinvestigate this.
Thanks again for bringing this to our attention.
Do not know where to report it. It seems that someone has hacked the site and replaced you certificates with self-signed. As a result:
EDIT: it seems that some russian providers are acting as man-in-the-middle for cloudfare connections; the site was not compromised