NATS and JS issues?

Maryflixxx · February 23, 2021, 7:55pm

I’ve been having a lot of issues with NATS sites lately.

Anyone else?

Jay · February 23, 2021, 9:39pm

What sort of issues?

Maryflixxx · February 23, 2021, 10:24pm

Mostly SSL Certificate issues and some javascript not loading.
For the most part (for me, anyway) it’s confined to NATs-based sites.

GayDemon · February 24, 2021, 12:08pm

I’ve visted a couple of NATs installs today but not seen any issues. Can you give an example of a site and I’ll test it?

Maryflixxx · February 24, 2021, 5:41pm

I experienced the error at NakedswordCash, BelAmiCash.
However, today the SSL errors seem to be resolved.

I know that due to the massive data leak, pretty much all SSL certificates were getting cycled, so it’s possible it was just bad timing on my part.

Natalie · March 18, 2021, 1:49pm

SSL fraud is being addressed with the advent of Certification Authority Authorization. By deciding on what certificate authority you’ll use, and then publishing a CAA record, you can significantly reduce the possibility of a fraudulent SSL. If you don’t have this set up yet, talk to your hosting company or sysadmin on your team if you’re unmanaged.

Jay · March 18, 2021, 2:40pm

To build on what Natalie said, I set up CAA “issue” DNS records that specify which certificate authorities are allowed to issue certs for my domains. When you set those up you also need to have HSTS turned on since, in addition to forged certs, a downgrade to HTTP would accomplish the same objective.

Because I have CAA records set up and HSTS turned on, I now get a steady trickle of people telling me that my site won’t load. What’s actually happening when they tell me that is that their ISP or VPN is trying to force them through a reverse proxy in order to spy on what they’re viewing. To put that in simpler terms, they’re trying to put a “man in the middle” that grabs the content from my server, decrypts it, and then sends it on to the user (encrypted or decrypted). But user’s the browser knows that HTTPS is mandatory thanks to HSTS, and that the cert was issued by an unauthorized authority. So it throws an error saying there was an error connecting. I just wish the errors were more forceful and said things like “It seems someone is trying to intercept communications with [domain.com]. The content we received cannot be trusted and as instructed by [domain.com] it will not be shown to you.”

It should also be mentioned that it’s important that users not use their ISP’s DNS. Since their ISP’s DNS server could strip out CAA records. They should specify another provider who will give them the full DNS results. If their ISP blocks requests to other DNS servers they should use DNS over HTTPS. But, unfortunately, your users’ DNS settings are mostly out of your hands.

IntenseMark · March 18, 2021, 10:30pm

No issues here at all. I would contact TMM support.