Website: Walter Gregg

Test W3C MobileOK Certificate Warnings

The W3C MobileOK checker erroneously(?) reports that two or more of the following websites have invalid HTTPS certificates. Oddly, it does not always give the report for all of them:

  1. maps.googleapis.com/... (North Tongass Static map)
  2. pinboard.in/u:WaltMG (me).
  3. pinboard.in/.
  4. plus.google.com/118256489866743207286 (me)
  5. plus.google.com/+starbucks
  6. www.google.com/maps... (Tongass Forest Interactive map)

[Dec. 2016. The old mobileOK checker has been taken offline. A link to run a live test on this page has therefore been removed.]

Thoughts

They are wildcard certificates. I read that now ancient mobile devices didn't accept these. But surely they should be accepted now that you can't even use Google without running into them.

Security aware websites have been shutting off old, vulnerable parts of HTTPS. It occurs to me to wonder if the mobileOK checker is assuming old mobile browsers require those old, insecure bits. But surely it would be better to shut off the HTTPS check than to effectively insist on deprecated insecure protcols.

Perhaps the W3C checker actually is being fed invalid certificates that I am not seeing here. A man in the middle attack? Surely not. A different response for the checker header? I don't think so. I tried changing my browser to use the checker agent and that made no difference. Everything still works here.

Here ends the test document for today.


Test W3C MobileOK Certificate Warnings (Oct. 2015) (available at ). © W. Gregg 2015; CreativeCommons.org /licenses /by-nc-nd /4.0.

 No Privacy