Hi,
review isn't forcing https. Can we please do this? Otherwise stealing cookies is posibble. Review supports https. There is atm an CACert based certificate and CaCert isn't included in the default root keychain. Thus a normal user will shown a big fat warning, not to connect to review.coreboot.org, because the certificate is unknown and untrusted. I don't have a problem with that and I like CaCert. But if CaCert is the reason not enabling https-only, than let us change to StartSSL or someother SSL authority.
Best lynxis
PS. Same issue on www.coreboot.org, but stealing review is much more worse than stealing wiki cookies. PPS. Please write a +1 if you're supporting this opinion.
On 04/16/2015 08:57 AM, Alexander Couzens wrote:
Hi,
review isn't forcing https. Can we please do this? Otherwise stealing cookies is posibble. Review supports https. There is atm an CACert based certificate and CaCert isn't included in the default root keychain. Thus a normal user will shown a big fat warning, not to connect to review.coreboot.org, because the certificate is unknown and untrusted. I don't have a problem with that and I like CaCert. But if CaCert is the reason not enabling https-only, than let us change to StartSSL or someother SSL authority.
Best lynxis
PS. Same issue on www.coreboot.org, but stealing review is much more worse than stealing wiki cookies. PPS. Please write a +1 if you're supporting this opinion.
+1
2015-04-16 15:57 GMT+02:00 Alexander Couzens lynxis@fe80.eu:
than let us change to StartSSL or someother SSL authority.
I'll ask CNNIC. I heard they have good offers.
PPS. Please write a +1 if you're supporting this opinion.
Please don't.
Patrick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Alexander,
On 16/04/15 14:57, Alexander Couzens wrote:
Hi,
review isn't forcing https. Can we please do this? Otherwise stealing cookies is posibble. Review supports https. There is atm an CACert based certificate and CaCert isn't included in the default root keychain. Thus a normal user will shown a big fat warning, not to connect to review.coreboot.org, because the certificate is unknown and untrusted. I don't have a problem with that and I like CaCert. But if CaCert is the reason not enabling https-only, than let us change to StartSSL or someother SSL authority.
Best lynxis
PS. Same issue on www.coreboot.org, but stealing review is much more worse than stealing wiki cookies. PPS. Please write a +1 if you're supporting this opinion.
"Let's Encrypt" is interesting; https://letsencrypt.org/
It's not ready yet, but it's supposed to be an "automated" (most likely gratis) certificate authority, and they are working hard to get it recognized to work around the issue where the user would otherwise get warnings in their browser.
Run by the EFF. Definitely something to look into. I'm waiting for it to become available, so that I can start using it on my sites/services.
Seth Schoen did a talk about it recently, watch from 59 minutes in: http://mtjm.eu/releases/lp2015/lp-123-1426949592.ogv (there were slides during the talk, but they didn't capture them)
Regards, Francis Rowe.
On Fri, Apr 17, 2015 at 2:01 AM, The Gluglug info@gluglug.org.uk wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Alexander,
On 16/04/15 14:57, Alexander Couzens wrote:
Hi,
review isn't forcing https. Can we please do this? Otherwise stealing cookies is posibble. Review supports https. There is atm an CACert based certificate and CaCert isn't included in the default root keychain. Thus a normal user will shown a big fat warning, not to connect to review.coreboot.org, because the certificate is unknown and untrusted. I don't have a problem with that and I like CaCert. But if CaCert is the reason not enabling https-only, than let us change to StartSSL or someother SSL authority.
Best lynxis
PS. Same issue on www.coreboot.org, but stealing review is much more worse than stealing wiki cookies. PPS. Please write a +1 if you're supporting this opinion.
"Let's Encrypt" is interesting; https://letsencrypt.org/
It's not ready yet, but it's supposed to be an "automated" (most likely gratis) certificate authority, and they are working hard to get it recognized to work around the issue where the user would otherwise get warnings in their browser.
Run by the EFF. Definitely something to look into. I'm waiting for it to become available, so that I can start using it on my sites/services.
Seth Schoen did a talk about it recently, watch from 59 minutes in: http://mtjm.eu/releases/lp2015/lp-123-1426949592.ogv (there were slides during the talk, but they didn't capture them)
Until Let's Encrypt is ready (to which I'm very much looking forward), there's also another alternative to StartSSL with fewer downsides: https://buy.wosign.com/free/
Wosign works well for me, it is trusted in pretty much any browser (due to cross-signing with StartCom), has a solid certificate chain and most importantly supports any number of subdomains (via subject alt names) and is free. Wildcards are not supported either, but due to SAN it doesn't matter that much. The only downside is, that the OSCP servers are in china only, but this can be worked around by server side OSCP stapling.
Regards, Francis Rowe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJVME08AAoJEP9Ft0z50c+UaoMH/Rk/M+z+LIEtWISe88fi1pxL 0Trp1TRQGs8ggMZs0tYqpwczkSYWf5HiMTfA85zGI0jpHHNhDBSLZnO62N2nq2Dl zSqMGnWQgfRpdmtgCrU9ctfGbqvONjWO3DlA4zDGqUXAelQe7NKF6OkUijCln+DL 9GucY9x+fVNo4TaokJz9zxVF+Y10flFwk+DTMz7FoIXgaJhKJ5QFfqX7ybT9U7P1 53Uci5J9qQMio1IFuPcVxqpchYvaEhVF2NPEXtHCCQG0izGrpjMvFwbrh/fXWNfp KCxoQyEfoB98lFBjkBj0uXlfAJsOI8+t02P1JN+hyxpnGeoWk30rmNGAvwHAY8M= =Vj0R -----END PGP SIGNATURE-----
-- coreboot mailing list: coreboot@coreboot.org http://www.coreboot.org/mailman/listinfo/coreboot
-
Alexander Couzens -
Patrick Georgi -
The Gluglug -
thomasg -
Timothy Pearson