Hacker News new | past | comments | ask | show | jobs | submit login

https://archive.md/bw2cN

(Its a medium page that doesn't load for me)




whereas archive.md returns "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"!

Sometimes I wish there was a way to tell our browsers "I really don't care about SSL on this page, honestly, and I'm qualified to tell when it matters."


As far as I know, Firefox still allows this for any expired certificate which at least has correct domain details and authority (e.g. it once worked, which some dev should validate).

SSL version or cipher mismatch can be from other causes. For example, the server might be responding with a html page that your browser is interpreting as https or vice versa, such as if the developers run http for local dev and https for prod and something gets confused.


> SSL version or cipher mismatch can be from other causes. For example, the server might be responding with a html page that your browser is interpreting as https or vice versa,

No, it's speaking TLS; it (the server) sends a TLS fatal alert & disconnects immediately after the ClientHello.

It's odd, too; I asked nmap to show what ciphersuites the server offers, and it seems like what nmap was able to elicit indicates there is overlap between what's offered by the client and the server. So … IDK what is going on here. (It seems like the server isn't doing cipher suite negotiation correctly, AFAICT. The server-offered cipher suite set is a bit … unusual looking? E.g., no DHE, but ECDHE, but also non-DHE?)


> and it seems like what nmap was able to elicit indicates there is overlap between what's offered by the client and the server.

On your client, maybe the person getting this is just out of date? (Or are you getting the same thing?)


I'm getting the same error from Firefox, no cipher suite overlap.

But I can see in Wireshark FF's ClientHello, and some of the cipher suites in that ClientHello seem to appear in the output that nmap says is the server's available cipher suites. So, I am perplexed.

(And I'm on Arch; my FF can't be too far behind.)


I believe you can type "thisisunsafe" on the SSL error page in Chrome to bypass any warnings.


doesn't work for me in chrome


I wish the browser would just load the page without cookies whenever that happens. (ie. automatically switch to incognito mode for just that tab whenever security can't be guaranteed).

Also, perhaps disable keyboard entry so you can't type a password in without acknowledging that you probably aren't visiting the site you think you are.


There's probably heightened risk of having an unpatched vulnerability exploited if you keep processing the payload past the point where you suspect a bad actor is on the other end.


Hmmm.. hopefully between the two of them most can read it. The archive works for me.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: