@Background Pony #15DF

Minecraft miiiight not be the best example since you have to be completely mental to monotonously mine out diamonds and shit, and the developers added in fire spreading and TNT which really have no use other than griefing, and in the spirit of vidya in general they set you up with a barely unwinnable scenario to hook you like some schmuck on the slot machines, always one creeper away from losing hours of hard work, work which you know, on some level, is completely imaginary and completely dependent on the company's whim.

So there's a lot of psychology in place to make players want to just burn it all down.

@Background Pony #08A5

Honestly I feel like debt is a bigger factor than laziness. Financial debt and y'know debt to society like when you get people killed and get away with it. People get in debt, they get desperate, and they get organizations like the NSA greenlit to try to keep their past from catching up to them. The assholes using that desperation to make themselves untouchable are more a symptom than a cause of the problem.

@Background Pony #15DF
Man, you're completely right. It's all just collective laziness that everything's so dysfunctional, yet somehow still hanging by itself on a tightrope. It's actually insane to think that Cisco hasn't even done anything about that, but I would assume it's exactly the kind of slimy bullshit forced by an executive up top by design, not directly for the purpose of fucking over the customer but rather to not get fucked over by the NSA breathing down their necks. This is why I said an unsupervised branch of a government is scary. They do shit like this all the time and nobody can say "No, fuck off" because then they get targetted by those goons and framed as an accident, or a suicide by two bullets at the back of the head and a rope inside a high security prison without bedsheets.

Those kind of people tend to do things that are completely illogical because they know they can't be touched, and because of that they just do whatever is most convenient… Because of laziness. Unaware of the fact that any skid with a bit of knowhow can use their own day zero vulnerabilities against them. Or against anyone. For any reason. Or even no reason at all.
Maybe they retroactively like to pretend like its a honeytrap mechanism, that they're purporsely making shit insecure so they have people to arrest when they do dumb shit like this, but no. They're just that lazy. I completely agree, it makes anyone with a hint of self-awareness have their blood boil over the sheer amount of damage such things can do and it is frankly irresponsible and just disgusting to even think about.

My point though, is that despite these things, that one shouldn't blow the lid off, so to say. It is a grave concern, that's for sure, but getting stressed or angry about such things is not productive toward moving foward into better solutions. It's important to use this knowledge not to make oneself feel miserable, but to educate people who can hear and listen so that, collectively as a society, we stop allowing these sacks of shit from perpetuating horrible practices and have actually good, secure and robust hardware and software be the standard, instead of just the niche that some suit-laced scumbag decides to sell to the masses at markup.
Only if we stop hiding under the umbrella of fear and learn to face reality, can we make the changes that are necessary for the future that, although may not be asked for, is definitely one that should have been there in the first place.

tl;dr demoralization bad, anger pushing for better solutions good, that sort of idea.

@Background Pony #08A5
Well, you're not wrong, as far as that goes, but who's a "blackhat" these days? You don't have to have much technical knowledge these days to carry out a sophisticated attack. The tools can be downloaded if you know where to look, though of course they tend to work a lot better if you have some rudimentary level of knowledge of how things work. Look at Minecraft and see how many people want to break other people's shit just for the sake of breaking other people's shit, without even any specific desire or plan to steal. "Just delete System32, lol." It's not everyone that does these things. It's not even most people. I want to believe that the vast majority of people don't want to engage in that kind of behavior. But there are enough that on a fundamental level, we can't have nice things.

And to an awful lot of people, a computer is just a magic telephone with a bright shiny candy-colored GUI. They tap on the screen or go clicky clicky with the mousie and they see their cat videos. They don't have the faintest idea how any of this works, and they don't care. They're low-hanging fruit for people who take amusement in breaking shit. And how many organizations, even big ones with real IT departments and not just a "computer guy" from a temp service who does everything from password resets to punching down cable, have an unwritten policy where they get routers out of the box, plug them in without changing default passwords or setting up encryption, then go back to farting around on Facebook for the other six hours of their shifts? It's a world full of low hanging fruit, and bored fourteen year olds who want to break your shit because breaking shit is fun. Maybe it's our fault for being lazy. Maybe the bored fourteen year olds wouldn't find it so entertaining to break stuff if it weren't so easy and immediately gratifying for them.

And I know things are fucked. I just picked up some infosec certs, but I am old enough to remember the chill of absolute horror that ran through me when I learned how VFAT handled long filenames, which meant that every Windows 95, 98, or ME box, or even 2000 or XP if you made horribly wrong choices during installation, was essentially a clown on a tightrope juggling rusty chainsaws that were running, over a pit filled with spikes. That was where I first gained the visceral understanding that it's not always best to know everything, that Lovecraft was right when he said that knowledge can bring madness. I remember when I first got broadband and, because I was still using Windows 2000, installed what was at the time a free software firewall called Zone Alarm. I learned that someone in Poland, or maybe someone bouncing the connection off a compromised machine in Poland, was scanning me for open ports around twenty times a second for 10-12 hours every day. And that's even before we start talking about how the NSA wrote the spec sheet for DES and handed it to IBM, watching over their shoulders as they wrote it, or the NSA and their cozy relationship with Cisco Systems, which seems to extend even to custom versions of their router OS that don't leave log files when they phone home to Fort Meade, that are shipped to selected customers.

Also, it sounds like you're a fellow fan of the Lockpicking Lawyer. His attitude about security is appropriate for infosec, I think. And I suspect, though cannot prove that locks haven't improved very much for a few reasons. At least before the Internet, before you could go to Amazon to buy cheap lockpicking tools made in China and learn how to use them by watching free videos on Youtube, the skills to defeat even the cheapest, jankiest lock by any means more subtle than a crowbar were extremely rare. People in the criminal underworld in the US with real locksmithing skills, like the Panczko Brothers or Michael Paulson, and weren't just stealing the safe and cutting it open with a Sawzall later, were always very rare outside of prewar black-and-white gangster movies. A really good locksmith can usually make almost as much money legally as he can by stealing, and without having to cringe every time he sees a police car. They still make locksmiths get licensed and bonded in large parts of the US. The Venn Diagram of "people who have the technical chops to defeat that deadbolt lock you just installed in your door, even if you got it at Wal-Mart and it was made in China" and "people who break into houses and steal things" doesn't show much overlap. The typical street criminal, at least in the US, is in a hurry. He kicks doors down, and if he can't kick it down, he leaves before the neighbors can notice the noise and dial 911, to go rob someone else with a door that is less resistant to being kicked in. He doesn't know what a "waverake" is, and may not know how to read or write. And at the end of the day, a lock is a mechanical device in which you use a special tool, that you hope a bad guy doesn't get or copy, to make parts move in a certain way that lets you open the front door, open that safe where you keep the important papers, or whatever.

Oh, and Cisco routers and switches still have UDP port 69 with its legs wide open yelling "hello, Sailor!" at the entire Internet. I learned about this vulnerability in 2015 and seven years later it isn't fixed. Supposedly this is because Cisco reserves the right, deep in the EULA, to connect to all Cisco routers around the world remotely using the TFTP protocol to do OS patches. TFTP requires no authentication and doesn't even support authentication—no key, no credentials, nothing. Anybody can connect to it, upload gibberish to the flash ROM where the OS is stored, and the next time the router reboots, it's a doorstop, and can't be fixed without physically swapping in a replacement flash ROM chip. It's called "phlashing." Oh, and a malicious actor could also send you a new OS version with special features, like the NSA version of the Cisco OS, if he wasn't content just to break your shit. It makes me grind my teeth. If you're the network guy at an organization with a lot of Cisco hardware, you can close off the port… but when you train for things like the CCNA they tell you not to do that and don't elaborate beyond that it's used by "important processes." Did I mention it makes me grind my teeth?

I think fearmonguering is bad.
Blackhats target people who are too dumb to realize it or big fish with so much disposable income that they don't care. That's natural selection, as sad as it seems.
Modern security is only advancing because of a large degree of communication and cooperation between all sectors of society. Criminals and legitimate users working together to patch vulnerabilities because everyone is affected by them.
As much as it seems most of the things you use are fucked beyond belief, knowing about said exploits also means they're likely already fixed, irrelevant due to actual physical limitations or difficult enough to set up that you'd rather be doing something much more malicious than just randomly redirecting a site about horse cartoons.
Which also means it is much more noticeable if there's something inherently wrong with whatever you're doing.
Which also means it's just that much easier to find the culprit and having them face repercussions for their actions.
Unless you're dealing with a branch of a government without oversight, then, yeah. You should be scared about that.

Despite every single lock in like 70%-maybe 80% of the world, that is tied to someone's front door, is subceptible to a waverake or comb attack, people rarely get robbed (unless they live where I am, then, my condolencies). It's insane that physical locks haven't progressed in security since the 17th century due to security through obscurity (manufacturers being as lazy as possible and lockpickers wanting to pretend not talking about how easy it is, due to societal backlash and also said manufacurers strongarming people into shutting up about it), but that also means that most people, regardless of where they live, wouldn't just invade someone's home to rob them. That's reality.
I think its more important to know that things aren't secure, so that you can more concientiously approach said reality with pragmatism instead of blind fear.
This isn't people being kind though. It's laziness and also fear of repercussions. Now that's the real terror.

@Background Pony #15DF

What if you ran a shady organization that sneakily installed a root certificate on his browser without his knowledge? Then you could sign a certificate to let whoever you wanted effortlessly MitM every site for everyone using that browser. That's what keeps me up at night, not the vanishingly small chance that some nobody in Kazakhstan has control of my network enough to Sybil attack me continuously in real time, and even then is totally powerless if I've already got the site's public key before they start.

Get the key and you're safe. Every other "security" step where you have to get the key again is another opportunity for someone to get in the middle. And SSL was designed so you have to get the key every time, and can only use the certificate of the one single authority. You can thank Netscape Inc. for that. They could've used PGP!

@skybrook
There is that, yes, though the more I read, the more horrifying thoughts I have about… well, to do a Man in the Middle, the book says you have to be on a machine that's on the same LAN or VLAN as the mark. But what if instead of being physically in the building with him, instead you have some kind of remote access trojan installed on another machine on the same VLAN? Could someone do Man in the Middle with that? Because now MitM isn't something that can only be done by someone in the same building with you. He could be in Kazakhstan, using a machine in your building that got a RAT on it because some mouth-breather in HR picked up a USB stick in the parking lot and plugged it in, or went to Facebook on company time and downloaded cutepuppy.jpg.exe. It keeps me up nights.

And @Background Pony #08A5
is also right about a mis-set time on the guy's machine being a potential cause of certificate error messages. When I use $SEARCHENGINE to look for information about vulnerabilities in NTP, it's very sobering. VERY sobering. It makes me wish for the days of sneakernets. ("Don't copy that floppy!")

The more I think about all of this, the more frightening it becomes. It makes me think of Rumsfeld's speech about the unknown unknowns. How long did the port 69 security hole in Cisco routers go unpatched because "no one would bother" trying to exploit it? It's one reason I don't shop online—if I can't go to a store in person and pay with cash, I don't need it. It's bad enough to be dependent on email to communicate with people. There are days when I want to live in a cave.

@Background Pony #15DF

Everyone should be getting a message like "Warning: the certificate for this site expired XXX days ago." Maybe as a little popup notice on the side. There is almost no way the connection could possibly be spoofed and sent to an entirely different IP address, because that certificate would have an untrusted authority, not just be expired. Certificate expiry is purely a cautionary measure to protect the certificate authority not the website itself, in case some site decides to change its webpages such that the authority doesn't want to vouch for it anymore.

Which of course allows certificate authorities to bully sites into censorship and shut down small independent websites, and certificate authorities of course formed a shady mafia organization in the background who demand a monthly payment or they won't update the expiration on your certificate.

And browsers are in on it too, sneaking shady certificate authorities into your trusted list, and turning a probably harmless warning into a deadly threatening error message that may not be bypassed. Which as I was saying, lets the mafia use you as a bargaining chip, to force every site on the 'net to pay them real money, since you all get cut off from any site refusing or unable to pay.

@Background Pony #08A5
Well, yeah. A very important question, for which we are at this point unlikely to get an answer, though, is: is OP the only one getting that message, or is it everyone who's getting that message, when people try to go to Derpibooru? If everyone's getting that message, then, yes, that indicates that Dilarus and TSP and the rest of the merry crew of the SS Dumpsterfire were too busy dyeing their hair in matching shades of purple for anyone to take ninety seconds to install a fresh cert. If it's just that one guy getting it, it could be some kind of customized MitM/webspoofing attack created just to target him. That seems a bit implausible, because Occam's Razor, and because Derpibooru is not an obvious choice to me for someone trying to steal credentials. I mean, yeah, there's credential stuffing, but if you make an account at a booru, and use the same password there that you do for your bank account and your work accounts, then really you deserve whatever happens next.

@Background Pony #15DF
The error in OP's post reffers to an expired TLS cert.
This can be caused by like, 2 or 3 things:
1.OP's phone has the clock setup wrong or his phone/G5 proxy is conflicting with his phone's internal clock, reporting a timer to the server that doesn't match with TLS standards.
2.Depribooru's admin forgot to renew the certificate because lazy.
3.His entire connection is being spoofed and sent to an entirely different IP adress due to a DNS reporting that derpibooru.com is actually another website entirely, which is frankly unlikely nowadays.

Most of the time, its just a false positive and likely to be number 2.
Very rarely number 3 is caused by a legitimate "attack", and this is mostly showcased after the user's been rootkit'd by a trojan or some shit (which would show even more issues than just a website being spoofed) as a psudo-VPN/proxy can easily be autorouting any connections to other websites. Although, if such were the case, chromium based browsers tend to give a huge red alert (as in, the entire page goes red, not just the red alert icon) that google's database doesn't match with the URL/IP given and won't even allow you to bypass or connect to the site at all, and gives a different error entirely.

In my totally expert and absolutely not bullshit opinion, i think OP is okay and should just use opera or some waterfox fork instead.

@Background Pony #15DF

The whole "man in the middle" thing is a scam really. They told you to watch out for that mean ol' man in the middle, by letting them be the man in the middle. (Also you don't let them they just sorta programmed your computer to let them without asking.)

@skybrook
Phony virus warnings go back to the dialup days. This is different, I think. I don't frequent Dumpsterfirebooru but this kind of warning tends to indicate a problem with a security certificate on that end. Alternately, it could be something phony, crafted to look like one, and in that case I suppose clicking on the links in it would likely make Very Bad Things happen. But security certificate problems are a thing, and that screenshot shows the correct address in the address bar, leading me to think it's probably a legit warning.

Yes, I know, there are a thousand means of attack. Go look up "Man in the Middle" and "Alternate Data Streams" if you want to see things you can't unsee, that will keep you up nights. But those things tend to be elaborate and labor-intensive to set up, and may require a physical connection to the same LAN or at least VLAN. Unless the person who posted that has people targeting him specifically—and that's always possible too, I guess—it is most likely a browser warning indicating that there is a Transport Layer Security/security certificate problem with the connection to Derpibooru, almost certainly on Derpibooru's end.

Disclaimer: I didn't sleep at a Holiday Inn last night, but I do have some background in infosec.

It's FUD. They've been stuffing those bogus threatening error messages in our browsers for like a decade now. Doesn't mean anything. It's just to scare you, so they can use you as a bargaining chip to make derpibooru pay 'em protection money. …no, really.