[lug] Colorado Bureau of Investigation
Robert Racansky
robert.racansky at gmail.com
Fri Jan 23 08:48:53 MST 2015
Not Linux related, but it is security related (especially for those of
you running web servers)...
A friend of mine owns a gun shop.
To conduct background checks, he uses the Colorado Bureau of
Investigation's (C.B.I.) web site at
https://ccic.state.co.us/InstaCheck/
Yesterday, he called me because he could not access the C.B.I.
website. Since I was already on my way to his part of town for other
reasons, I was able to make a detour by his shop and check it out.
He normally uses the Google Chrome web browser on Mac OS X. Sure
enough, when I arrived, Google Chrome was giving the following error
message:
"This webpage is not available"
"A secure connection cannot be established because this site uses an
unsupported protocol."
"Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
I was able to access the site using Firefox and Safari on his Macbook,
plus Internet Explorer on my Windows tablet, and whatever the web
browser on my ancient Android phone is.
Researching this, I found out that "Chrome 40 is removing SSLv3
support since it's been shown to be broken. Please contact the site's
administrators and ask them to update their SSL stack."
Sure enough, the C.B.I. web site is using SSL v3, according to Firefox
on my Linux machine at home.
"Firefox cannot guarantee the safety of your data on ccic.state.co.us
because it uses SSLv3, a broken security protocol."
"Advanced info: ssl_error_no_cypher_overlap"
So Google Chrome version 40 and newer, and Firefox version 34 and
newer, will not display web pages using SSLv3
When he called the C.B.I. earlier that day, they told him there was no
problem. Of course, the person he talked to was a background-check
operator, and not a technical support person.
The experience was also a perfect example of why it's so frustrating
supporting small offices and home users. In a corporate environment,
there are other computers (and users) to test with, making it easier
to isolate the problem. Also, if the problem is with the company's
web site, the end-user support technicians can just go and talk to the
server-support admins.
More information about the LUG
mailing list