-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Alexander,
On 16/04/15 14:57, Alexander Couzens wrote:
Hi,
review isn't forcing https. Can we please do this? Otherwise stealing cookies is posibble. Review supports https. There is atm an CACert based certificate and CaCert isn't included in the default root keychain. Thus a normal user will shown a big fat warning, not to connect to review.coreboot.org, because the certificate is unknown and untrusted. I don't have a problem with that and I like CaCert. But if CaCert is the reason not enabling https-only, than let us change to StartSSL or someother SSL authority.
Best lynxis
PS. Same issue on www.coreboot.org, but stealing review is much more worse than stealing wiki cookies. PPS. Please write a +1 if you're supporting this opinion.
"Let's Encrypt" is interesting; https://letsencrypt.org/
It's not ready yet, but it's supposed to be an "automated" (most likely gratis) certificate authority, and they are working hard to get it recognized to work around the issue where the user would otherwise get warnings in their browser.
Run by the EFF. Definitely something to look into. I'm waiting for it to become available, so that I can start using it on my sites/services.
Seth Schoen did a talk about it recently, watch from 59 minutes in: http://mtjm.eu/releases/lp2015/lp-123-1426949592.ogv (there were slides during the talk, but they didn't capture them)
Regards, Francis Rowe.