What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    According to Qualys SSL Labs testing, secure.jotform.co is vulnerable. When will this be fixed?

    Asked by UnLitho on December 12, 2014 at 07:02 PM

    It appears that there are some vulnerabilities in the SSL certificate protecting secure.jotform.co. Perhaps this can be looked into and an estimated fix time be posted?

     

    https://www.ssllabs.com/ssltest/analyze.html?d=secure.jotform.co&hideResults=on

    Screenshot of the results: http://i.imgur.com/XD8jRtb.jpg

     

    Primary vulnerabilities:

    - Server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and is exploitable (since June!)

    - Server uses SHA1 when it should be using more secure SHA2 (at least SHA256 recommended). Google Chrome will be warning users of sites protected with SHA1 certificates that the site they're visiting is unsafe starting sometime soon, maybe as later as early next year.

     

    secure.jotform jotform certificate SSL issue SSL certificate
  • Profile Image
    JotForm Support

    Answered by jonathan on December 12, 2014 at 08:53 PM

    Hi,

    Thank you for this information. 

    I was also able to see the same issue on my browser when browsing on https://www.jotform.com

    I will forward this thread to our back-end team support so that they can properly checked the problem.

    We will inform you here for any update on the status.

    Thanks.

     

  • Profile Image
    Chief Technology Officer

    Answered by eee on December 18, 2014 at 04:00 AM

    @UnLitho,

    Problem has been fixed,

    https://www.ssllabs.com/ssltest/analyze.html?d=secure.jotform.co

    Kindest Regards,

    - Ertugrul.

  • Profile Image

    Answered by UnLitho on December 18, 2014 at 03:27 PM

    @eee,

    Thanks for the quick resolution to that! Good to see things looking more secure. Do you know if when the certificate expires in 2 months, it is going to be renewed with at least SHA2withRSA? Chrome will soon be showing SHA1 certificate-protected sites as potentially insecure.

    Cheers.

  • Profile Image
    JotForm Support

    Answered by Welvin on December 18, 2014 at 04:21 PM

    I honestly don't know if our higher ups would consider upgrading to SHA2, but I have forwarded this thread to EEE. I'm sure they will if that will affect our system.

    Thank you!

  • Profile Image

    Answered by UnLitho on December 18, 2014 at 07:01 PM

    The following is conveniently copied for its examples from here.

    chrome-compact-floating-addressbar

    As of late 2014, SHA1 certificates and it’s SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.

    A three step process will increase the severity of the warning:

    1. Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the “Secure, but minor errors” icon.  This is a lock with a yellow triangle chrome_95440_https_warning_triangle

    2. Severity will increase thereafter, where:
    SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the “Secure, but minor errors” icon. This is a lock with a yellow trianglechrome_95440_https_warning_triangleSHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the “Neutral, no security” icon. This is the blank page icon, as shown by HTTP URLs. SNP_2709331_en_v0

    3. Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the “Affirmatively insecure, major errors” icon. The “Affirmatively insecure, major errors” icon is a lock with a red Xchrome_14679_redhttps_en

    To resolve this issue SHA2 certificates must be installed.

     

    ------

     

    Considering your certificate expires in the next few months, it might be convenient to go ahead and have them renew at SHA2 and get that done and over with.

  • Profile Image
    JotForm Support

    Answered by jonathan on December 18, 2014 at 07:10 PM

    Hi,

    Thank you for providing more details.

    I have instead created a separate topic for the new suggestion here http://www.jotform.com/answers/478725

    We will attend to it as soon as we can.

    Thanks.