In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.
As for let's encrypt - they reported several days ago that they are trusted by major browsers - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check https://helloworld.letsencrypt.org/ - it's trusted.
BR, Artur.
On Sun, Oct 25, 2015 at 2:35 PM, Frank Lanitz frank@frank.uvena.de wrote:
Am 25.10.2015 um 13:17 schrieb Arthur Peka:
some may have already said it, but certificate on https://lists.geany.org is invalid. I guess the one from Let's encrypt could be used (which now seems to be trusted)?
They did a huge step forward, but AFAIK not yet done. By now we are using CAcert and the certificate is not invalid only because your browser doesn't know the CAcert root certificates¹. It's just untrusted.
However, the plan is, once the are real online we think about migration.
Cheers, Frank
¹ http://www.cacert.org/index.php?id=3
P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL is not just the green lock symbol, it's more. Even an selfsigned certifcate can, well in most cases it is if you check fingerprints, be more trustworthy than a signed one.
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel