Proxomitron certificate expired :( where can i get a new one?

i just had a popup saying the proxomitron certificate has expired, today i think, does it really matter? i'll have a look for a new one in a while and post the url. or if anyone knows a good certificate can you post the link? thanks.

 

Hi ice,

Grypen's latest SSLPack includes new certs (valid for another year): Index of /~grypen/Downloads.

Nick

 

great, thanks Nick i'll go and get it now. i hope you are well

 

Also

http://www.geocities.com/sidki3003/prox-ssl.html

includes

 

if anyone's interested in verifying the certificate download you can do it like this if you have GPG installed -

download SSLPack-Grypen20061121.exe and SSLPack-Grypen20061121.exe.sig

then open a command prompt and go to the folder where you downloaded the above, then do these commands (you have to use the cd command to get the folder where you downloaded the files) it should be something like this -
cd c:\windows\path\to\downloads

gpg SSLPack-Grypen20061121.exe.sig this gives you the key ID - 53F79CF2

gpg --keyserver subkeys.pgp.net --recv 53F79CF2 this imports the key

gpg --verify SSLPack-Grypen20061121.exe.sig SSLPack-Grypen20061121.exe this verifies the *.exe

gpg --fingerprint 53F79CF2 this shows the key is from who it says it's from.

that's how i've always done it and i think it's the correct way

i took a picture, it looks good, i don't know who Paul Lemming is though

 

thanks cerberus, i might try it out in a VM.

 

how do you verify something with GPG and a *.sig?

hi, can someone tell me if i did all the steps correctly when i verified my proxomitron SSL certificates in this post here -
https://www.wilderssecurity.com/showthread.php?p=891575#post891575

i think it works the same way in windows. thanks.

 

Re: how do you verify something with GPG and a *.sig?

The URL doesn't exist. Anyway, it's gpg --verify signature.sig

 

Re: how do you verify something with GPG and a *.sig?

Paul "Grypen" Leeming
http://www.users.on.net/~grypen/

 

Re: how do you verify something with GPG and a *.sig?

which url this one -
https://www.wilderssecurity.com/showthread.php?p=891575#post891575

anyway, i tried to delete that post and start a new thread about it, mustn't of happened lol. i'm abit confused atm, i'll have to close some windows and programs i have too many things going on, i'm not sure what's happening lol i thought i was in a different thread

 

Re: how do you verify something with GPG and a *.sig?

To help with your confusion....the PM sent ~ 30 minutes ago made mention of the thread you started was merged into this ongoing thread.

 

Opera has detected problems with server's certificate:
The server name does not match the certificate name.
Sending sensitive infomation through this connection is not safe!

Firefox doesn't like the new files either.

 

The MD5 signature of the certificate is different than the original. Since Grypen issued it, he also signed it, which changed the MD5 signature. You just need to tell your browser to accept it. If you use the "roll your own ProxCert" you can use any name you want with it, but your browser will alert on the name change and resulting signature change. There's nothing wrong with the certificate itself.
With Sea Monkey, the alert looks like this. Firefox will be quite similar.
http://i138.photobucket.com/albums/q277/herbalist-rick/prcert2.gif
Clicking on "Examine Certificate" brings you to this screen.
http://i138.photobucket.com/albums/q277/herbalist-rick/Prcert1.gif
By selecting "Accept this certificate permanently" Your browser will accept it as valid. It could still alert you when it expects one from a different site but gets this one from Proxomitron. That's not a problem as Proxomitron also checks certificates from websites.
With IE6, you'll see this screen with a new proxcert.pem file.
http://i138.photobucket.com/albums/q277/herbalist-rick/PRIE2.gif
Clicking on "View Certificate" will bring you to this screen, from which you can install the certificate.
Opera should have some kind of similar procedure.
http://i138.photobucket.com/albums/q277/herbalist-rick/prIE1.gif
Once you install the new certificate, your browser will stop promting about it. This is just something Proxomitron users need to do once a year. I suggest picking up the "roll your own" script, in case a time comes when a replacement isn't available online or if you just want to use/install a certificate signed by you.
Rick

 

Both browsers will install it, however in the end, the https:// webpage is not encrypted. The browser message states that "www.abcdefg.com and the Proxomitron certificates do not match. This could be a security risk." Both browsers refuse to encrypt the webpage.

Edit:
I just used proxcert-MakeCert.bat Same thing.

 

Does the message you get look something like this?
http://i138.photobucket.com/albums/q277/herbalist-rick/mismatch.gif
When running thru Proxomitron, your browser doesn't get the sites certificate. It gets Proxomitrons, which will not match the one from the site. Proxomitron also checks the sites certificate. If the sites certificate is invalid, Proxomitron will alert you directly, not thru your browser.
I just test installed Grypens SSL pack,then went to an encrypted page. Although I did get the above alert, the page is still encrypted. Works fine on both IE6 and Sea Monkey.

 

You can test your browser SSL encryption here.

 

Yes, that is the exact dialog box I receive. In the address window, the lock icon remains unlocked indicating a non-encrypted webpage.

 

Yes, it shows AES cipher, 256-bit key with Proxomitron.
However, going there without Proxomitron directly through Opera, the browser indicates that the encryption at the site is weak and only gives the connection a 1 out of 3 in terms of encryption strength.

 

When you bypass Proxo, what strength key does that site show for encryption being used? Both of my browsers show a lock on that site and most other https sites. What did FireFox show? I have no idea about how Opera rates site encryption or what figures into their rating. Someone more familiar with Opera will have to address that one.
Rick

 

With Proxo, Firefox 2.0 shows AES cipher, 256-bit key However the lock is unlocked and double-clicking on the lock states: Connection Partially Encrypted. "Parts of the page you are viewing were not encrypted before being transmitted over the Internet."

Without Proxo, Firefox 2.0 shows AES cipher, 256-bit key. The lock icon is locked indicating High-Grade Encryption.

Using Proxo with Firefox on other https websites always shows the lock icon unlocked.

 

Open Proxo, then click "config", then the "HTTP" tab. Is the box "Use SSLeay/Open SSL..." checked? Did you shut Proxomitron down before you installed Grypens SSL pack? Are you using any type of proxy switching software or extension or using a proxy service?
How do you have your browsers and systems proxy settings configured? The interface for Firefox should be very much like this one.
http://i138.photobucket.com/albums/q277/herbalist-rick/Mozillaproxy.gif
These are the default settings for use with Proxomitron. The setup for windows/internet explorer are much the same.
From Win98:
http://i138.photobucket.com/albums/q277/herbalist-rick/sysproxy.gif
Rick

 

All configurations ok.

 

Do you have separate firewall rules for http and https traffic for your browser or Proxomitron? The rules will have to allow Proxomitron to connect out with ports 80 and 443.
I'm running out of ideas as I can't duplicate your results no matter what I try. Best I can tell, all the content on that test site is encrypted.
Rick

 

No special firewall rules. Thanks anyway.

 

Why are you guys using SSL for Proxo? Scott was leary of it and warned not to use it and I have never used it and will never. So, I don't have to worry about Proxo certs. I would be afraid to not bypass Proxo when banking. I trust Fx to handle the SSL certs properly. I do not trust Proxo. I use Sidki's filters and they are great...but not for SSL....just my opinion.