Last night, I sent notes to site admins and VerticalScope (the new owners) management by every means I could figure out, including directly to VS CEO and CTO. I didn't yet get any responses, but it is fixed this morning, at least for the next 90 days unless the auto-renew script has been installed. Considering that the new certificate is a free Let's Encrypt certificate (the previous expired certificate was a paid commercial one), my guess is that it was Scott rather than the new owners that fixed it. But I am sure the details will emerge shortly.
Thanks for the fix @LexxM3. I have no idea what you've posted above, my computer literacy level is low. I have logged in, no warnings. I believe that it is safe to do so, but a comment from an admin would be appreciated now to confirm.
Edit - @LexxM3 I appreciate your efforts too in contacting all the powers who run the site. I would have no idea what to do otherwise. Thanks for doing this on our collective behalf.
For the record, I wasn't involved in the fix -- I am not an admin and have no connection to GC or VerticalScope except as a GC user/member that gives a shit about our community. I am just reporting on observation of the fix. All I did is try to make some noise so that someone with admin access would notice.
So ... everybody still have to take the chance and click the unsafe box to this site, despite the warnings that it is not safe and your passwords and all could be stolen ?
Come on guys. I spend the last 2 days wondering if the site had blown off or what. Could the administrators AT THE VERY LEAST, send a reassuring email to all members and tell them that it's now fixed and safe to come back ?
Certificates do not make a site safe. They are a way to confirm that the site is what it says it is and they are used to encrypt communications between the site and your computer. The certificate has to be renewed on a fairly regular schedule. Depending on the issuing certificate authority and the type of certificate this can be as simple as checking a box and paying some money or as difficult as faxing or mailing proof of ownership of the domain and authenticating via online links. The encryption part of the process works if the certificate is expired or not. The problem is that you have to trust you are actually on the right site because the certificate authority has not verified the site owner since the certificate was last renewed. Certificates expire all the time and are definitely a sign of sloppy maintenance but it is not a big deal if you are sure you are on the correct site. Encryption still takes place. It is good to heed warnings about this, especially if you don't fully understand how certificates work. In this case it is a very minor issue that is merely annoying. A bigger issue is the length of time for an admin to respond. If there had been a serious compromise the admins need to be on top of it much quicker.
As an aside the whole certificate authority system is broken in any case. Certificate authorities have been hacked in the past and false certificates generated. Governments do this all the time. You can buy boxes that act as a proxy and fake certificates to the end user when in reality the box has full access to the unencrypted stream. Again governments and large corporations do this all the time. Certificates are a reasonable way to ensure communications are encrypted but until something called DNSSEC is universally in place the whole system of certificates should not be considered 100% safe.
A forum community dedicated to guitar owners and enthusiasts. Come join the discussion about collections, displays, models, styles, amps, modifications, kits, reviews, accessories, classifieds, and more!