#294 web signup form won't display J/S captcha b/c bad SSL cert

closed-fixed
None
5
2014-08-21
2011-06-26
R P Herrold
No

The BRL-CAD web signup form won't display a JavaScript based captcha because of a bad SSL certificate under current Firefox

Sign up form is at: http://brlcad.org/d/user/register

Under Firefox on CentOS 5, updated to current, the captcha needed to sign up for the project is not displayed, because the SSL certificate used in the javascript redirect into Google's captcha is not known to the trusted CA issuer cache of Firefox.

The HTML to generate captcha is to be obtailed and rendered via Javascript, but Firefox will not load such background Javascript content, because of the XSS class of exploits found in the wild, presently ... when the certificate is bad, this current versikon of Firefox properly declines to participate in a potential forgery

As such, I cannot see, and thus answer this gateway question

Firefox details: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rev:1.9.2.18) Gecko/20110622 CentOS/3.6-1.el5.centos Firefox/3.6.18

This is disabling in that it blocks the signup process

screenshot attacked

In coming to the defective page, I followed the following click path
http://brlcad.org/ then click Log In / Create Account in teh upper right
http://brlcad.org/d/user/login?destination=node then select LEFT Create Account folder tab
http://brlcad.org/d/user/register ... which lacks a valid SSL certificate Captcha ...

Such 'official' SSL certificates are ** free ** from Certificate Authority registrar entities such as StartSSL (and are recognised by the Mozilla Foundation as trusted under their formal review and CA inclusion process, and so flow into FireFox and other browsers), so there is really no reason for this problem to exist

-- Russ herrold

Discussion

  • Sean Morrison

    Sean Morrison - 2011-06-28

    Thanks for the report and bringing the problem to our attention. The reCAPTCHA module used by our website authenticates through a 3rd party CA website (hosted by Google). They changed their SSL certificate to reflect a DNS change on their end, which is what was causing the certificate warnings. We just had to point to their new domain name and the problem is fixed. Thanks again.

     
  • Sean Morrison

    Sean Morrison - 2011-06-28
    • milestone: --> serious bug / no workaround
    • assigned_to: nobody --> brlcad
    • status: open --> closed-fixed
     

Log in to post a comment.