[coreboot] force https on review.coreboot.org
thomasg
thomas at gstaedtner.net
Fri Apr 17 02:14:41 CEST 2015
On Fri, Apr 17, 2015 at 2:01 AM, The Gluglug <info at gluglug.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Alexander,
>
> On 16/04/15 14:57, Alexander Couzens wrote:
>> Hi,
>>
>> review isn't forcing https. Can we please do this? Otherwise
>> stealing cookies is posibble. Review supports https. There is atm
>> an CACert based certificate and CaCert isn't included in the
>> default root keychain. Thus a normal user will shown a big fat
>> warning, not to connect to review.coreboot.org, because the
>> certificate is unknown and untrusted. I don't have a problem with
>> that and I like CaCert. But if CaCert is the reason not enabling
>> https-only, than let us change to StartSSL or someother SSL
>> authority.
>>
>> Best lynxis
>>
>> PS. Same issue on www.coreboot.org, but stealing review is much
>> more worse than stealing wiki cookies. PPS. Please write a +1 if
>> you're supporting this opinion.
>>
>>
>>
>
> "Let's Encrypt" is interesting; https://letsencrypt.org/
>
> It's not ready yet, but it's supposed to be an "automated" (most
> likely gratis) certificate authority, and they are working hard to get
> it recognized to work around the issue where the user would otherwise
> get warnings in their browser.
>
> Run by the EFF. Definitely something to look into. I'm waiting for it
> to become available, so that I can start using it on my sites/services.
>
> Seth Schoen did a talk about it recently,
> watch from 59 minutes in:
> http://mtjm.eu/releases/lp2015/lp-123-1426949592.ogv
> (there were slides during the talk, but they didn't capture them)
Until Let's Encrypt is ready (to which I'm very much looking forward),
there's also another alternative to StartSSL with fewer downsides:
https://buy.wosign.com/free/
Wosign works well for me, it is trusted in pretty much any browser
(due to cross-signing with StartCom), has a solid certificate chain
and most importantly supports any number of subdomains (via subject
alt names) and is free.
Wildcards are not supported either, but due to SAN it doesn't matter that much.
The only downside is, that the OSCP servers are in china only, but
this can be worked around by server side OSCP stapling.
> Regards,
> Francis Rowe.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVME08AAoJEP9Ft0z50c+UaoMH/Rk/M+z+LIEtWISe88fi1pxL
> 0Trp1TRQGs8ggMZs0tYqpwczkSYWf5HiMTfA85zGI0jpHHNhDBSLZnO62N2nq2Dl
> zSqMGnWQgfRpdmtgCrU9ctfGbqvONjWO3DlA4zDGqUXAelQe7NKF6OkUijCln+DL
> 9GucY9x+fVNo4TaokJz9zxVF+Y10flFwk+DTMz7FoIXgaJhKJ5QFfqX7ybT9U7P1
> 53Uci5J9qQMio1IFuPcVxqpchYvaEhVF2NPEXtHCCQG0izGrpjMvFwbrh/fXWNfp
> KCxoQyEfoB98lFBjkBj0uXlfAJsOI8+t02P1JN+hyxpnGeoWk30rmNGAvwHAY8M=
> =Vj0R
> -----END PGP SIGNATURE-----
>
> --
> coreboot mailing list: coreboot at coreboot.org
> http://www.coreboot.org/mailman/listinfo/coreboot
More information about the coreboot
mailing list