× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: HTTPS, ReadyNAS Duo V2 and Chrome

brinzlee
Aspirant

HTTPS, ReadyNAS Duo V2 and Chrome

I have been using my Duo V2 with chrome without any problems for sometime... I followed the examples about importing a certificate and all has been well for years.
I have no problem with IE 11 but the latest version of Chrome 42.0.2311.90 m now displays a broken line through the https when I access my Duo on the local network. I have tried importing the certificate but have had no luck. Is anyone else experiencing this.
When I click on the crossed padlock it tells me the identity cant be verified and that future versions of chrome will prevent me accessing it.......WTF
Message 1 of 14
RX
Luminary
Luminary

Re: HTTPS, ReadyNAS Duo V2 and Chrome

Have you tried using other PCs/laptops to isolate the problem?
Message 2 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

Can you cut/paste the exact text you are seeing in the browser?
Message 3 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

I can't cut and paste it won't let me in chrome.....I updated the browser on another computer too and am getting the same warning only using Chrome not IE 11

192.168.1.4 identity not verified
It says the identity of the website has been verified by 192.168.1.4 but does not have public audit records
The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it
Your connection to 192.168.1.4 is encrypted with obsolete crytography
The connection uses tls 1.0
Message 4 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

5.3.12 beta should fix the outdated security settings warning. You can find that here: viewtopic.php?f=148&t=72267. The public audit record warning might also disappear (not sure). A self-signed cert won't have public audit records.

Note that there is also a 4.1.x firmware beta for duo v1 (I mention this because many v1 owners mistakenly think they have a v2).
Message 5 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

I'm already using 5.3.11 it's not a beta though....I have a v2 and a v1. I haven't tried the v1 yet.
I've just followed your suggested link and now assume that it's 5.3.12 beta.
I've always had problems with betas not being stable, any idea when it might be a general release.
Thanks for your help StephenB
Message 6 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

Ok I have bitten the bullet and updated both Duo's the V1 and the V2 with RAIDiator 4.1.15-T3 and RAIDiator 5.3.12-T3 respectively and the warnings are still exactly the same in Chrome.
Message 7 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

I've never added the certs to the root store, so I always click through the warnings (which are not what you are seeing). From the wording of your error, I thought it was about PHREAK, but apparently not.

It is possibly about the use of SHA-1 in the self-signed cert - https://www.globalsign.com/en/blog/goog ... tificates/

Are other people seeing this?
Message 8 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

I have now narrowed this down to the latest build of chrome......I found another PC with an older version and this isn't flagging any errors......
So I guess Google have altered something or there is a bug in the latest version.
Message 9 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

Message 10 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

http://googleonlinesecurity.blogspot.co ... sha-1.html

So how do we get around this....it looks like that's the future position of the Chrome browser
Message 11 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

Well, there is general agreement that sha1 needs to be deprecated for PKI certficates. However, they aren't used in self-signed or root certificates in the same way.

There are four basic ways it could play out:
-Google changes the behavior of Chrome with self-signed certs
-Netgear decides to generate self-signed certs with sha256
-you uninstall the cert, and revert to the warning I am seeing.
-People stop using Chrome with the NAS (using IE or Firefox instead).
Message 12 of 14
brinzlee
Aspirant

Re: HTTPS, ReadyNAS Duo V2 and Chrome

If its an outdated certificate....surely it would be in Netgears interest to stop the units being hacked
Does this problem still exist with the new breed of NAS with iOS 6.
Is it a case of going on bended knee and asking Netgear to consider upgrading to sha256
Message 13 of 14
StephenB
Guru

Re: HTTPS, ReadyNAS Duo V2 and Chrome

To be very clear -
(a) The SHA256 change is certainly needed for PKI certs. Those certificates are verified with the certificate authority using the sha signature. SHA1 will not be strong enough for that relatively soon (due to dropping costs of cloud computing).
(b) But self-signed certificates (like all root certificates) aren't verified with the sha signature at all. Instead they are simply installed.

So changing the self-signed cert to SHA256 doesn't improve the security (e.g., make the units "more hackable").

Google is (for unknown reasons) choosing to needlessly apply the sha256 check with a self-signed cert. Going to sha256 in the NAS avoids the error message from Chrome, but that is all it does.
Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 3709 views
  • 0 kudos
  • 3 in conversation
Announcements