Hi,
some may have already said it, but certificate on https://lists.geany.org is invalid. I guess the one from Let's encrypt could be used (which now seems to be trusted)?
BR, Artur.
Hi,
some may have already said it, but certificate on https://lists.geany.org is invalid. I guess the one from Let's encrypt could be used (which now seems to be trusted)?
could you elobarate a bit what exactly you mean by "invalid"? This is a wildcard certificate for *.geany.org and is valid until April 2016. Your browser might try to trick you into the assumption the certificate is invalid because your browser does not trust the CA of cacert.org who signed our certificate. But this does not mean our certificate is invalid. It's just that the major browser distributors don't accept the root certificates of cacert.org.
And yes, we will think about using the new Let's Encrypt certificates. However, as far as I know, the currently available certificates are also not yet trusted by the majority of applications. Those new, automatically trusted certificates will first be available some time in November.
Regards, Enrico
Am 25.10.2015 um 13:17 schrieb Arthur Peka:
some may have already said it, but certificate on https://lists.geany.org is invalid. I guess the one from Let's encrypt could be used (which now seems to be trusted)?
They did a huge step forward, but AFAIK not yet done. By now we are using CAcert and the certificate is not invalid only because your browser doesn't know the CAcert root certificates¹. It's just untrusted.
However, the plan is, once the are real online we think about migration.
Cheers, Frank
¹ http://www.cacert.org/index.php?id=3
P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL is not just the green lock symbol, it's more. Even an selfsigned certifcate can, well in most cases it is if you check fingerprints, be more trustworthy than a signed one.
In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.
As for let's encrypt - they reported several days ago that they are trusted by major browsers - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check https://helloworld.letsencrypt.org/ - it's trusted.
BR, Artur.
On Sun, Oct 25, 2015 at 2:35 PM, Frank Lanitz frank@frank.uvena.de wrote:
Am 25.10.2015 um 13:17 schrieb Arthur Peka:
some may have already said it, but certificate on https://lists.geany.org is invalid. I guess the one from Let's encrypt could be used (which now seems to be trusted)?
They did a huge step forward, but AFAIK not yet done. By now we are using CAcert and the certificate is not invalid only because your browser doesn't know the CAcert root certificates¹. It's just untrusted.
However, the plan is, once the are real online we think about migration.
Cheers, Frank
¹ http://www.cacert.org/index.php?id=3
P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL is not just the green lock symbol, it's more. Even an selfsigned certifcate can, well in most cases it is if you check fingerprints, be more trustworthy than a signed one.
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Hi,
Am 25.10.2015 um 14:41 schrieb Arthur Peka:
In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org http://cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.
I'm aware of this and we dicussed it several times at some of our mailinglists. Untrusted != invalid. Unfortunately people don't want to understand this so browser developers decided to send in every case "OMG we are gonna die"-error warnings and hiding the option "I know what I'm doing". It's even getting hard and herder to ack a selfsigned certificate from release of release of browser. This is bad. Now in default it's easier to trust some company might forced by some gouverment or whoever (stock owners maybe) to sign a not valid certificate than to trust your very own self created certificate e.g. for your personal intranet. But this is another topic and off topic here.
As for let's encrypt - they reported several days ago that they are trusted by major browsers
https://helloworld.letsencrypt.org/ - it's trusted.
At least I'm aware of this and as Enrico mentioned we will go into process of update maybe soon. this was the big step I was referring to.
So tl;dr: There will be an update on this kind of soonish.
Cheers, Frank
Ok, glad to hear that.
BR, Artur.
On Sun, Oct 25, 2015 at 3:58 PM, Frank Lanitz frank@frank.uvena.de wrote:
Hi,
Am 25.10.2015 um 14:41 schrieb Arthur Peka:
In my understanding "invalid" includes "signed by untrusted authority". I'm no security expert, and for me browser reporting an invalid certificate is a red flag - I'll have a hard time figuring out that cacert.org http://cacert.org are in fact the "good guys". I believe, this can also turn away some contributors, who will think the page is abandoned/compromised, without looking into much details.
I'm aware of this and we dicussed it several times at some of our mailinglists. Untrusted != invalid. Unfortunately people don't want to understand this so browser developers decided to send in every case "OMG we are gonna die"-error warnings and hiding the option "I know what I'm doing". It's even getting hard and herder to ack a selfsigned certificate from release of release of browser. This is bad. Now in default it's easier to trust some company might forced by some gouverment or whoever (stock owners maybe) to sign a not valid certificate than to trust your very own self created certificate e.g. for your personal intranet. But this is another topic and off topic here.
As for let's encrypt - they reported several days ago that they are trusted by major browsers
https://helloworld.letsencrypt.org/ - it's trusted.
At least I'm aware of this and as Enrico mentioned we will go into process of update maybe soon. this was the big step I was referring to.
So tl;dr: There will be an update on this kind of soonish.
Cheers, Frank