On 10/02/2013 08:49 PM, Tim Starling wrote:
On 02/10/13 05:56, Federico Leva (Nemo) wrote:
Yes, beta can't currently really be used
unless you manually confirm
certificates. (Which, by the way, you should never do on any website.)
Why not? Self-signed certificates are as secure as plain HTTP, which
you would think would be good enough for most people for connecting to
a test wiki.
First of all, trusting random certs is a bad habit to get into. Few
people go through the trouble to check the cert chain themselves,
obviously, so they don't know if it's "self-signed" or
"man-in-the-middle signed".
We give all sorts of people access to labs, so a
proper
certificate for *.wmflabs.org shouldn't give you much additional
confidence.
We do not give all sorts of people access to Beta. To get your PHP code
there, you need to get it merged into master. To get JavaScript there,
you either need to do that or be an admin on Beta.
So yes, it's a test wiki, but it's *our* test wiki, and the gates are
not flung totally open. With a self-signed cert (and the fact that
nobody really inspects it), you could be connecting to any machine.
Moreover, the goal of Beta is to be like production, which includes the
SSL. Self-signed SSL certs interfere with both automated and manual
testing. More details are at the bug Nemo linked.
Matt Flaschen