Loopy Pro: Create music, your way.
What is Loopy Pro? — Loopy Pro is a powerful, flexible, and intuitive live looper, sampler, clip launcher and DAW for iPhone and iPad. At its core, it allows you to record and layer sounds in real-time to create complex musical arrangements. But it doesn’t stop there—Loopy Pro offers advanced tools to customize your workflow, build dynamic performance setups, and create a seamless connection between instruments, effects, and external gear.
Use it for live looping, sequencing, arranging, mixing, and much more. Whether you're a live performer, a producer, or just experimenting with sound, Loopy Pro helps you take control of your creative process.
Download on the App StoreLoopy Pro is your all-in-one musical toolkit. Try it for free today.
Safari on macOS 13.6, iPadOS 17.03 and probably higher broken for sites with expired certificate
![[Deleted User]](https://secure.gravatar.com/avatar/c65f3204a06d27ec73276b6045ed7d23/?default=https%3A%2F%2Fvanillicon.com%2F91feed79a2b1ce0d17ae51ed4913d76d_200.png&rating=g&size=200)
The user and all related content has been deleted.
Comments
Does Firefox work with these sites on iOS? Unless Apple has changed their policy, all browsers on iOS are forced to use their Safari engine as backend.
Don’t all browsers use the same rendering engine on iOS?
Is it possible there’s a setting that is causing this rather than Safari being broken?
Good lord. You absolutely shouldn't be visiting sites with expired or invalid certificates anyway.
Having worked in the field of IT security for years, I do understand the security concerns related to wrongly configured or missing certificates. However there is a trend to enforce security by imposing more and more restrictions and limitations on people’s devices. One of he worst are Microsoft’s forced updates for Windows. In my opinion this is the wrong way forward for multiple reasons:
I've worked in IT security and privacy too, the idea that normies were ever just bypassing that dialog without understanding it fills me with horror. I honestly had no idea that anyone would think that was sane.
I understand that horror. And I am shocked to see how many people fall even for the dumbest telephone scams. No security blocker can stop them from believing that this is really the "fraud department" of their bank, or they really had that car accident 24h ago.
I think for built-in security features it's probably best is to have the overrides, but don't make them too easy. And those who bypass the security feature will have to carry the full responsibility.
As a side note, I regularly have to use self signed certificates for local https and Safari still works fine with warnings and option to bypass.
This site is great for generic testing of SSL related issues: https://badssl.com/
Same as it ever was, for all types of wrong certificate, on my iPhone, iPad and Mac. Maybe this is why Apple are ignoring @tja because nothing has actually changed?
I'm on the latest OS on everything. I'm still very confused as to why you think none of this is a risk...
Using self signed certificates on a publicly accessible site is red flag number one. There is absolutely no reason to do so, so it's already shady af. Add on to that self signed certificate that isn't even valid and I'm wondering if Apple are just protecting you from yourself. A forum over an insecure connection means every time you submit a form, like, say to log in, that is being transmitted unencrypted and taking over your account is trivial to even a script kiddie in their first week of hacking. Obviously once they've got your email and password they can credential stuff you to oblivion.
If you're not getting the option to proceed even without a valid certificate, then the site is almost certainly using HSTS. HSTS tells the browser that the site must only be accessed over https. None of this is Apple's fault, all of it is the fault of someone failing to use a proper certificate authority and auto renew their certs.
I have already explained what's happening above, you're trying to access something with HSTS enabled. Apple hasn't changed anything, if a cert expires on a site with HSTS you CANNOT connect to it. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Absolute nonsense to start trying to open a ticket with Apple and to then continue blaming them after learning about HSTS.
Absolutely correct. Self-Signed certificates are every bit as secure from an encryption standpoint as certificates issued from a signing authority. There is not one bit of difference in the actual content or operation of the certificate or the encryption.
It's about trust though. When accessing a site with a self-signed certificate, you have no way of knowing whether the issuer is who they claim to be. With public signing authorities you have at least some (very) small assurance that the entity's identity has been checked.
In general I agree that it should be up to the individual to decide whether to trust a self-signed certificate based on the nature of the site. Who the hell cares if it's a site that you don't even log into? On the other hand, not one in a million people would understand what we're talking about, much less know how to make safe decisions on the matter. Dire warnings and non-obvious ways to defeat protections are probably a good idea IMO, as long as there are some ways around them when needed.
True 100%
I will say though that expired certificates of any kind should be a HUGE red flag. It means that the operator isn't paying attention to security. If someone can't even be bothered to update their certificates then I can pretty much guarantee you they're not capable of or caring about protecting the site security in many more serious ways.
It's so damn easy to place malicious code on poorly maintained sites. No way I'm going to visit a site with a certificate that expired 3,101 days ago!! That's just stupid.
Shady af? No it's not.
Self-signed certificates are perfectly valid certificates. There's nothing shady whatsoever about using them. They do exactly the same job. All a signing authority issued certificate does is provide some level of trust that the identity of the site operator has been verified to some degree. I've obtained and renewed dozens of signing authority issued certificates. I hate to tell you this, but getting around the level of scrutiny they give to identity verification is ridiculously easy.
Absolutely no reason to use a self-signed certificate? What about cost and hassle? Costs have come down and issuers are more easy to work with now, but it's still a cost that for some isn't worth it. Plus they the validity period is usually only a year or two. That gets to be a major hassle, especially if you have several servers to deal with.
If all you're doing is serving up information, dealing with all that is a pain in the ass. And, if your certificate expires, turnaround time to renew it can be a problem. With a self-signed certificate you can regenerate in a matter of minutes if you know what you're doing (or, in my case, can dig up the notes because you forgot how 😂).
But ... expired certificates? That's another matter. That's a symptom of neglect and (probably) poor attention to site security that can result in malware or other malicious use of the server. I'm all in favor of browser messages vigorously warning people off and also as a way of shaming the operator.
I never said a self-signed certificate is less secure, but when it's trivial to get a free certificate from LetsEncrypt that automatically renews without you having to do anything, a self-signed certificate on a public facing website in 2023 is a good indication that the person running the server doesn't know what they're doing, an expired self-signed certificate even more so.
It's not you or your configuration, it's configuration on the site. HSTS sends a header when accessed over https that tells the browser to never connect to that site unless it's over https, this is typically sent with an extremely long TTL of several years. You aren't going to be able to connect to that site without a valid certificate until that TTL has expired. Every major browser respects HSTS, so if that is what's causing your problems, then Firefox is going to do exactly the same thing if you've ever visited the site in Firefox. The last browser I know of that didn't respect HSTS was IE9 I think.
As mentioned above, the cost is zero, the cost of renewal is zero and happens automatically forever more, and the setup is faster than generating your own certificate.
The cost of using self signed certificates in this day and age though is that you forget to reroll it, forget that you had HSTS on, and your users open support tickets with Apple because they don't understand how the internet works.
https://datatracker.ietf.org/doc/html/rfc6797#section-12.1
12.1. No User Recourse
Failing secure connection establishment on any warnings or errors
(per Section 8.4 ("Errors in Secure Transport Establishment")) should
be done with "no user recourse". This means that the user should not
be presented with a dialog giving her the option to proceed. Rather,
it should be treated similarly to a server error where there is
nothing further the user can do with respect to interacting with the
target web application, other than wait and retry.
Essentially, "any warnings or errors" means anything that would cause
the UA implementation to announce to the user that something is not
entirely correct with the connection establishment.
Not doing this, i.e., allowing user recourse such as "clicking
through warning/error dialogs", is a recipe for a man-in-the-middle
attack. If a web application issues an HSTS Policy, then it is
implicitly opting into the "no user recourse" approach, whereby all
certificate errors or warnings cause a connection termination, with
no chance to "fool" users into making the wrong decision and
compromising themselves.
If the words in this don't make any sense to you, just know that some smarter people than you or I designed this spec to protect people from themselves. But also, if that is the case, it's maybe not that wise to go on the internet advising people that there's nothing unsafe about connecting to a site with an expired certificate.
Yes, LetsEncrypt is a good option these days, but hasn't always been there. But that doesn't mean self-signed certificates are "Shady af" or any less secure. OK, you didn't actually say they were less secure but that's what it seemed like you were saying since you seem to be in favor of browser warnings for them.
Here's a list of attacks you leave yourself open to if you bypass the warnings. If you bypass those warnings while using a VPN, you'd better hope it's an extremely trustworthy one (Mullvad is literally the only commercial VPN I trust). If you bypass those warnings without a VPN, then you'd better trust your ISP. I don't trust any ISPs.
I've been a CTO for nearly 30 years, often dealing with extreme privacy / security systems like whistleblowing sites. I know what I'm talking about.
We agree 100% about expired certificates.
What are your specific objections to self-signed certificates?
Yeah, I keep mentioning that it's 2023. LetsEncrypt has been around for 9 years, X501 certificates expire at a maximum of 398 days. If you haven't switched to LetsEncrypt at some point in the last 8 years then I don't trust you.
I'm in favour of them because as evidenced in this thread some people seriously need protecting from themselves. If someone suddenly gets a self-signed certificate when they've clicked on a phishing email link to "their bank", without the warning they're going to lose a critical signifier that they're not on the actual website of their bank. If they get a warning they're going to perhaps stop and check. Christ, this stuff has been internet security basics for years.