Hi,
with regard to the recent discussion on SSL, it would be really nice to have the certificates issued by CAcert (whose root certificate will not be included in many browsers for some time) published on a trustworthy server (a footer on URI:https://www.wikimedia.org/ perhaps?). I'm primarily thinking about the certificates for:
- wikitech.leuksman.com - www.wikimedia.de
(Feel free to append if you encounter others.)
TIA, Tim
I wrote:
with regard to the recent discussion on SSL, it would be really nice to have the certificates issued by CAcert (whose root certificate will not be included in many browsers for some time) published on a trustworthy server (a footer on URI:https://www.wikimedia.org/ perhaps?). [...]
^^^^^^^^^^^^^^^^^^^^^^^^^^ That should obviously have been URI:https://secure.wikimedia.org/.
Tim
Tim Landscheidt wrote:
with regard to the recent discussion on SSL, it would be really nice to have the certificates issued by CAcert (whose root certificate will not be included in many browsers for some time) published on a trustworthy server (a footer on URI:https://www.wikimedia.org/ perhaps?).
We don't actively use CAcert anymore since we can afford certs which don't toss confusing messages at visitors. :)
I'm primarily thinking about the certificates for:
- wikitech.leuksman.com
This is an old link from when we stuck our tech doc wiki on my personal site for a while; you'll see there's a nicer cert at the permanent URL: https://wikitech.wikimedia.org/
- www.wikimedia.de
Wikimedia DE folks run this... Who can poke it?
-- brion
Brion Vibber schrieb:
- www.wikimedia.de
Wikimedia DE folks run this... Who can poke it?
I can. We have a cert for https://secure.wikimedia.de/ which we use for donations and stuff. what do we need one for www.wikimedia.de for?
-- daniel
Daniel Kinzler daniel@brightbyte.de wrote:
- www.wikimedia.de
Wikimedia DE folks run this... Who can poke it?
I can. We have a cert for https://secure.wikimedia.de/ which we use for donations and stuff. what do we need one for www.wikimedia.de for?
Well, www.wikimedia.de answers on port 443, so a valid cer- tificate would be kind of nice :-).
Tim
Brion Vibber brion@wikimedia.org wrote:
[...]
I'm primarily thinking about the certificates for:
- wikitech.leuksman.com
This is an old link from when we stuck our tech doc wiki on my personal site for a while; you'll see there's a nicer cert at the permanent URL: https://wikitech.wikimedia.org/ [...]
Hmmm, the latter now shows a self-signed certificate again?
Tim
On 8/12/09 3:49 PM, Tim Landscheidt wrote:
Brion Vibberbrion@wikimedia.org wrote:
[...]
I'm primarily thinking about the certificates for:
- wikitech.leuksman.com
This is an old link from when we stuck our tech doc wiki on my personal site for a while; you'll see there's a nicer cert at the permanent URL: https://wikitech.wikimedia.org/ [...]
Hmmm, the latter now shows a self-signed certificate again?
Yeah, but it's got the right URL at least! ;)
-- brion
Unsecure Sockets Layer?
(I'll shut up now 8-)
On Wed, Aug 12, 2009 at 4:12 PM, Brion Vibberbrion@wikimedia.org wrote:
On 8/12/09 3:49 PM, Tim Landscheidt wrote:
Brion Vibberbrion@wikimedia.org wrote:
[...]
I'm primarily thinking about the certificates for:
- wikitech.leuksman.com
This is an old link from when we stuck our tech doc wiki on my personal site for a while; you'll see there's a nicer cert at the permanent URL: https://wikitech.wikimedia.org/ [...]
Hmmm, the latter now shows a self-signed certificate again?
Yeah, but it's got the right URL at least! ;)
-- brion
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi!
Hmmm, the latter now shows a self-signed certificate again?
how is that an issue?
Domas
Domas Mituzas midom.lists@gmail.com wrote:
Hmmm, the latter now shows a self-signed certificate again?
how is that an issue?
Most browsers (and RSS readers and ...) will bark at it as "(potentially) unsafe". Therefore, IMHO Wikimedia should either use established CA's certificates or publish informa- tion on the "private" (or CAcert) certificates on a trust- worthy server, in paper publications, etc. where it can be used to verify the certificates.
Tim
P. S.: Yes, it *is* highly unlikely that wikitech.wikimedia.org's A record gets hijacked and a MITM attack is staged as little could be gained.
Hi!
Most browsers (and RSS readers and ...) will bark at it as "(potentially) unsafe". Therefore, IMHO Wikimedia should either use established CA's certificates or publish informa- tion on the "private" (or CAcert) certificates on a trust- worthy server, in paper publications, etc. where it can be used to verify the certificates.
I know what happens when self-signed certificate is used. Why the heck is that an issue with wikitech.wikimedia.org wiki?
P. S.: Yes, it *is* highly unlikely that wikitech.wikimedia.org's A record gets hijacked and a MITM attack is staged as little could be gained.
And then what? I for one use HTTP to access that wiki, feel free to hijack my account, and, um, vandalize. You won't need to do MITM for that, actually, will save you some effort.
I thought there're more important issues out there ;-)
Domas
Domas Mituzas midom.lists@gmail.com wrote:
Most browsers (and RSS readers and ...) will bark at it as "(potentially) unsafe". Therefore, IMHO Wikimedia should either use established CA's certificates or publish informa- tion on the "private" (or CAcert) certificates on a trust- worthy server, in paper publications, etc. where it can be used to verify the certificates.
I know what happens when self-signed certificate is used. Why the heck is that an issue with wikitech.wikimedia.org wiki?
Because when you access URI:https://wikitech.wikimedia.org/, it will bark :-). Would not all references to wikitech.leuksman.com have been advertizing the HTTPS access (and the Google ratio is still about 55900:209 :-)), I would not care. But IMVHO *if* HTTPS requests are served, that should be done "properly".
P. S.: Yes, it *is* highly unlikely that wikitech.wikimedia.org's A record gets hijacked and a MITM attack is staged as little could be gained.
And then what? I for one use HTTP to access that wiki, feel free to hijack my account, and, um, vandalize. You won't need to do MITM for that, actually, will save you some effort.
I thought there're more important issues out there ;-)
I can assure you you are *very* right on that thought :-).
Tim
"Tim Landscheidt" tim@tim-landscheidt.de wrote in message news:m3skfsna0i.fsf@passepartout.tim-landscheidt.de...
Domas Mituzas midom.lists@gmail.com wrote:
I know what happens when self-signed certificate is used. Why the heck is that an issue with wikitech.wikimedia.org wiki?
Because when you access URI:https://wikitech.wikimedia.org/, it will bark :-). Would not all references to wikitech.leuksman.com have been advertizing the HTTPS access (and the Google ratio is still about 55900:209 :-)), I would not care. But IMVHO *if* HTTPS requests are served, that should be done "properly".
Firefox, for example, gives a very scary notice if you visit that address. I for one would not trust anything for which such a scary notice was generated, even if I trust the owners of the site (as I do here). The message indicates that the site may have been compromised, and that is too much of a risk to take these days.
IE gives a less scary message, but it still very firmly informs you: "close this webpage and do not continue to this website". Again, not a message I would ignore.
Seriously, unless you are intentionally trying to scare people away from the site, then this should be fixed.
- Mark Clements (HappyDog)
On Mon, Aug 24, 2009 at 8:50 AM, Mark Clements (HappyDog)gmane@kennel17.co.uk wrote:
Seriously, unless you are intentionally trying to scare people away from the site, then this should be fixed.
wikitech is mainly intended for Wikimedia tech staff, not the general public, so I assume that they don't care very much if the general public is scared away. Anyone who can use the site usefully presumably knows enough about HTTPS to understand that they can safely ignore the warning.
On 8/24/09 3:04 PM, Aryeh Gregor wrote:
On Mon, Aug 24, 2009 at 8:50 AM, Mark Clements (HappyDog)gmane@kennel17.co.uk wrote:
Seriously, unless you are intentionally trying to scare people away from the site, then this should be fixed.
wikitech is mainly intended for Wikimedia tech staff, not the general public, so I assume that they don't care very much if the general public is scared away. Anyone who can use the site usefully presumably knows enough about HTTPS to understand that they can safely ignore the warning.
Pretty much, yeah. :) We put "real" certs on public-facing sites, but just haven't bothered with what is essentially our tech department intranet. (But since we're crazy people it's open if you want to look at it!)
-- brion
Pretty much, yeah. :) We put "real" certs on public-facing sites, but just haven't bothered with what is essentially our tech department intranet. (But since we're crazy people it's open if you want to look at it!)
Wouldn't it be safer, and more convenient, to have internal sites use an internally created CA instead of self-signed certificates? At least then users would simply have to trust the CA once and not get the warning on other, or future, internal sites.
V/r,
Ryan Lane
On 8/24/09 3:38 PM, Lane, Ryan wrote:
Pretty much, yeah. :) We put "real" certs on public-facing sites, but just haven't bothered with what is essentially our tech department intranet. (But since we're crazy people it's open if you want to look at it!)
Wouldn't it be safer, and more convenient, to have internal sites use an internally created CA instead of self-signed certificates?
Safer, but less convenient as it would take us a few extra minutes to set up which we might as well spend on buying an $8 public-friendly cert. ;)
-- brion
Brion Vibber brion@wikimedia.org wrote:
Pretty much, yeah. :) We put "real" certs on public-facing sites, but just haven't bothered with what is essentially our tech department intranet. (But since we're crazy people it's open if you want to look at it!)
Wouldn't it be safer, and more convenient, to have internal sites use an internally created CA instead of self-signed certificates?
Safer, but less convenient as it would take us a few extra minutes to set up which we might as well spend on buying an $8 public-friendly cert. ;)
Does this mean that if I make an earmarked donation we could close this thread? :-)
Tim
Tim Landscheidt wrote:
Brion Vibber brion@wikimedia.org wrote:
Pretty much, yeah. :) We put "real" certs on public-facing sites, but just haven't bothered with what is essentially our tech department intranet. (But since we're crazy people it's open if you want to look at it!)
Wouldn't it be safer, and more convenient, to have internal sites use an internally created CA instead of self-signed certificates?
Safer, but less convenient as it would take us a few extra minutes to set up which we might as well spend on buying an $8 public-friendly cert. ;)
Does this mean that if I make an earmarked donation we could close this thread? :-)
Can I chip in a few more bucks to get the old MD5-hashed certs (like the one for bugzilla.wikimedia.org) replaced? They may technically still be safe (if just barely), but at least the "SSL Blacklist" Firefox extension throws up a big scary warning about them and it's annoying to have to click through it.
wikitech-l@lists.wikimedia.org