Some kind of security error won't let me log in

This topic is locked from further discussion.

Avatar image for PfizersaurusRex
#1 Edited by PfizersaurusRex (1007 posts) -

An error occurred during a connection to auth.gamespot.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)

This is what I get when I wanna log in to Gamespot using Firefox. I need to uncheck "Use the online certificate status protocol to confirm validity of certificates" and then I can log in (and out). I don't know what it is, but I recon it's there for a reason and I won't leave it unchecked all the time.

Any chance this be fixed?

Avatar image for Born_Lucky
#2 Posted by Born_Lucky (1730 posts) -

Same here.

I had to disable Firefox's security to login.

Firefox 29 .0.1

Avatar image for Peter_Eater
#3 Edited by Peter_Eater (3711 posts) -

Same here.

Both on Firefox Nightly (x64) and IE 11

This happened (at least for me) since Gamespot was down a couple of days ago.

And what's worse, no Gamespot comment about this certificate issue!

Avatar image for ank000
#4 Posted by ank000 (53 posts) -

I am also experiencing the same certificate error on my firefox. Had to disable the certificate check to login. Do something about it please..

Avatar image for PumpkinBoogie
#5 Edited by PumpkinBoogie (3373 posts) -

@ank000 said:

I am also experiencing the same certificate error on my firefox. Had to disable the certificate check to login. Do something about it please..

Well thanks for that tip about disabling (at least it allowed me to log in)--though it's not the best thing to having to keep doing......seriously GS, fix this properly, please.

Avatar image for robotopbuddy
#6 Edited by RobotOpBuddy (65468 posts) -

I'll make sure the devs are aware of this, including the apparent cause, it'll most likely be a high priority fix due to being security related so hopefully it won't be long before the issue is resolved. Chrome users should still be able to access the page regardless of the certificate issue as well - providing they haven't manually enabled normal certificate revocation checks on chrome and are still using the default CRL Sets anyway. IE users may or may be able to, depending on browser version and settings.

Edit: As mentioned below, Google has since added the revocation into their own CRLSets listings so it'll be blocked by default in Chrome as well now. IE should be throwing up the warning in practically every case as well - the vast majority of users here are unlikely to be using an old enough version for this not to be the case, nor would many users disable the checking in the settings themselves.

Avatar image for PumpkinBoogie
#7 Edited by PumpkinBoogie (3373 posts) -

@robotopbuddy said:

I'll make sure the devs are aware of this, including the apparent cause, it'll most likely be a high priority fix due to being security related so hopefully it won't be long before the issue is resolved. Chrome users should still be able to access the page regardless of the certificate issue as well - providing they haven't manually enabled normal certificate revocation checks on chrome and are still using the default CRL Sets anyway. IE users may or may be able to, depending on browser version and settings.

No, this issues pops up like that on all browsers I've tried: Nightly/FF, Chrome, and IE.

Avatar image for Peter_Eater
#8 Posted by Peter_Eater (3711 posts) -

Here's the workaround for Firefox, for those that can't find the setting (I imagine it's pretty difficult to find for non-tech-savy people):

Go to: Options > Advanced > Cerificates > Validation > Untick "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of cetrificates" box > click OK

After you login, you can re-enable this option. Follow the same steps, just tick the OCSP box again. You will stay logged in to Gamespot.

Avatar image for robotopbuddy
#9 Edited by RobotOpBuddy (65468 posts) -
@PumpkinBoogie said:

No, this issues pops up like that on all browsers I've tried: Nightly/FF, Chrome, and IE.

The issue is server side regardless, but it would indeed appear that Google have now added this to their own CRLSets method so it will block the page regardless of settings now - it didn't half an hour ago, so this is a very recent change. FF and IE use the standard OCSP checking method by default (with the exception of outdated versions of IE where it has to be enabled manually) and will have popped it up prior to then (ignoring OCSP/CRL soft fails with no warnings, anyway). Opera and many other browsers should also trigger the warning too, only browsers not using a standard OCSP check will fail to recognise the revocation - this is mainly an issue with mobile browsers (android/iOS) in reality, but applies to a select few desktop ones as well.

Edit: For users that are logged in and want to check if they're affected by this (or more accurately, their browsers block them from viewing the page due to this; and most users will be), the easiest way is to use this page accessible via settings and using the change emails/password link. If that page causes the error then so will the login page, as this issue affects all GS https pages. Simple workarounds exist for some browsers such as FF as mentioned above, but not all browsers on all devices have simple workarounds, whereas others don't warn about it at all. As a result you may be unable to login using certain browsers until this is fixed if you get logged out.

UPDATE: The dev team are working on it and have been for a while, no ETA on a fix at this point in time however. It'll likely be fixed shortly after an ETA can be realistically provided too.

Avatar image for thehollowones
#10 Edited by TheHollowOnes (34 posts) -

@Peter_Eater: Thank you for that. This problem is a fairly big one, hopefully somebody's ass (or several) at the office gets chewed out over this so this doesn't happen again (if in fact, this was due to some kind of negligence). Not checking security certificates is a major security risk on our (the users') part and we have to re-enable the certificate each time if we exit to maintain a certain level of security. I hope they're figuring this out in a timely fashion.

Avatar image for suz437
#11 Posted by suz437 (1025 posts) -

I did this, just upgraded to newest FF.

In a pinch you can disable OCSP:

in a FF3 browser location bar type "about:config"

in the filter box, type "security"

double-click the entry "security.OCSP.enabled" and change the 1 to a 0

Works great now!

Avatar image for BattleSpectre
#12 Edited by BattleSpectre (7989 posts) -

Same on Internet Explorer 11. I had to uncheck those security boxes too, for gamespot to allow me to log in. Are there any negatives to leaving them unchecked?

Avatar image for Deathstalker83
#13 Edited by Deathstalker83 (112 posts) -

I keep getting that error when i try to login using firefox.

Edit : @suz437 Did what you suggested .. Works fine now ... I can login with no errors now ! THANKS !

Avatar image for robotopbuddy
#14 Edited by RobotOpBuddy (65468 posts) -

@BattleSpectre: Yes, they're security procedures that are there for a reason, primarily for the sake of ensuring that secure (socket layer) connections are to the places that they say they are - this is especially important for things like online banking, but also for any other credential entries such as username and passwords. In this particular case it should be fine, the issue (re-)appeared due to intermediate certificate(s) being missing from the chain after they moved over to new load balancers - all you're doing by disabling the check is ignoring the revocation notice for the cert and entering the site anyway. For sites you're certain you can trust (including their security) that's fine, but the OCSP checks should definitely be re-enabled afterwards, especially if you're sending any particularly sensitive information like card details.

That said, the OCSP/CRL checks can soft-fail and not warn you for the vast majority of browsers as well, allowing the checks to not actually occur at times and allow you to visit sites with potentially invalid certificates..the primary exception to this being sites that use EV (Extended Validation) - if the OCSP server check fails in such cases it's normally assumed that it's invalid and will prevent access; as such most online banking sites and other monetary transaction sites such as stores will use EV certs whenever card details need to be added to ensure they are actually secure. Google's CRLSets method also gives EV certs particular notice because of this, though I'd still advise enabling normal OSCP checks in Chrome if you want to be extra safe - CRLSets relies on Google's crawlers to update and as such has additional delays that more standard methods don't have.

Long Story short: it'd be best to disable said revocation check only temporarily while logging in and then re-enable it afterwards, as outside of the few https pages on GS the check being enabled won't cause any issues with the site anyway and it's a security risk whenever sensitive data has to be sent over the internet.

You can also simply keep the *.gamespot.com cookies to avoid being logged out for a while. You may wish to change your password after this is fully resolved as a just-in-case security precaution too.

Avatar image for BattleSpectre
#15 Edited by BattleSpectre (7989 posts) -

@robotopbuddy: Damn now you have me worried. Thanks a lot for all that information and explaining it to me, but I've left the boxes unchecked for a few days now and have signed into other programs/sites etc. I haven't bought anything online though (thank god). Let's hope I'm safe. By the time you read this i'll have the boxes checked again just to be on the safe side. I just hope nothings been affected of mine these past few days though.

Avatar image for robotopbuddy
#16 Edited by RobotOpBuddy (65468 posts) -

@BattleSpectre: Well, if you've only been using familiar sites chances are their certs are as they were before - all the check does is see if it's been revoked by the cert authority or not (and quite a lot were when heartbleed hit, though most legitimate sites will have since had their certs sorted out and re-validated if necessary), so if it wasn't revoked before this started and isn't revoked now, chances are it never was and you are perfectly safe anyway. It's only really if you've entered sensitive data on an unfamiliar site, or another site you've used has since had their certificate revoked for some reason that there's really anything to worry about.

You should be extra careful of phishing sites using valid but revoked certificates with it disabled however - as the check being disabled will essentially hide the fact that the cert was revoked, though revocation is flawed in many ways due to the various browser implementations of it as is (for instance, FF only checks OCSP, and ignores CRLs entirely despite a (very) small % of certs only being revocable via CRL) so it's not the most reliable of the many security features a typical browser and computer will run and is as such much less of an issue than say disabling your firewall would be.

Overall, if you use common sense to avoid things like phishing sites though you should be fine - even more so as most modern firewalls and antivirus programs with web-protection will block many webpages already. The most crucial time you should make sure it's on is when entering card or other financial details on a site using an extended validation cert - the browser will automatically trust these if a test isn't even attempted, while default behaviour with it enabled is to deny unless the cert can be confirmed as not being revoked and valid, and you don't want to be taking any chances with financial information.

Avatar image for BattleSpectre
#17 Posted by BattleSpectre (7989 posts) -

@robotopbuddy said:

@BattleSpectre: Well, if you've only been using familiar sites chances are their certs are as they were before - all the check does is see if it's been revoked by the cert authority or not (and quite a lot were when heartbleed hit, though most legitimate sites will have since had their certs sorted out and re-validated if necessary), so if it wasn't revoked before this started and isn't revoked now, chances are it never was and you are perfectly safe anyway. It's only really if you've entered sensitive data on an unfamiliar site, or another site you've used has since had their certificate revoked for some reason that there's really anything to worry about.

You should be extra careful of phishing sites using valid but revoked certificates with it disabled however - as the check being disabled will essentially hide the fact that the cert was revoked, though revocation is flawed in many ways due to the various browser implementations of it as is (for instance, FF only checks OCSP, and ignores CRLs entirely despite a (very) small % of certs only being revocable via CRL) so it's not the most reliable of the many security features a typical browser and computer will run and is as such much less of an issue than say disabling your firewall would be.

Overall, if you use common sense to avoid things like phishing sites though you should be fine - even more so as most modern firewalls and antivirus programs with web-protection will block many webpages already. The most crucial time you should make sure it's on is when entering card or other financial details on a site using an extended validation cert - the browser will automatically trust these if a test isn't even attempted, while default behaviour with it enabled is to deny unless the cert can be confirmed as not being revoked and valid, and you don't want to be taking any chances with financial information.

So when are you joining the Gamespot staff to start teaching them a thing or two? Haha thanks again, appreciate it.

Avatar image for robotopbuddy
#18 Posted by RobotOpBuddy (65468 posts) -

@BattleSpectre: I'm pretty sure they know what they're doing tbh, probably more so than I do at that (especially considering the limited vision I have due to being an external user of the site), but mistakes happen (I've had to correct myself/been corrected on a number of occasions too, so it's not like I'm never making any either) and they have a pretty tiny dev team considering the site size and how many bugs and other issues they have to deal with. With everything in mind they're doing a fairly good job in general, they just have an awful lot of work to do so it's unrealistic for them to get everything done in the sort of ideal timeframes most site users seem to desire, let alone flawlessly.

Avatar image for BattleSpectre
#19 Edited by BattleSpectre (7989 posts) -

@robotopbuddy said:

@BattleSpectre: I'm pretty sure they know what they're doing tbh, probably more so than I do at that (especially considering the limited vision I have due to being an external user of the site), but mistakes happen (I've had to correct myself/been corrected on a number of occasions too, so it's not like I'm never making any either) and they have a pretty tiny dev team considering the site size and how many bugs and other issues they have to deal with. With everything in mind they're doing a fairly good job in general, they just have an awful lot of work to do so it's unrealistic for them to get everything done in the sort of ideal timeframes most site users seem to desire, let alone flawlessly.

I know bro, I was only taking the piss. I'll never leave Gamespot, I could never see myself going to another site.