[Wikimedia-l] Invalid security certificate for en.wikipedia.beta.wmflabs.org
Matthew Flaschen
mflaschen at wikimedia.org
Thu Oct 3 08:33:05 UTC 2013
On 10/02/2013 08:49 PM, Tim Starling wrote:
> On 02/10/13 05:56, Federico Leva (Nemo) wrote:
>> Yes, beta can't currently really be used unless you manually confirm
>> certificates. (Which, by the way, you should never do on any website.)
>
> Why not? Self-signed certificates are as secure as plain HTTP, which
> you would think would be good enough for most people for connecting to
> a test wiki.
First of all, trusting random certs is a bad habit to get into. Few
people go through the trouble to check the cert chain themselves,
obviously, so they don't know if it's "self-signed" or
"man-in-the-middle signed".
> We give all sorts of people access to labs, so a proper
> certificate for *.wmflabs.org shouldn't give you much additional
> confidence.
We do not give all sorts of people access to Beta. To get your PHP code
there, you need to get it merged into master. To get JavaScript there,
you either need to do that or be an admin on Beta.
So yes, it's a test wiki, but it's *our* test wiki, and the gates are
not flung totally open. With a self-signed cert (and the fact that
nobody really inspects it), you could be connecting to any machine.
Moreover, the goal of Beta is to be like production, which includes the
SSL. Self-signed SSL certs interfere with both automated and manual
testing. More details are at the bug Nemo linked.
Matt Flaschen
More information about the Wikimedia-l
mailing list