Forced HTTPS on web site

Alexander Kriegisch Alexander at Kriegisch.name
Wed Mar 14 11:33:49 UTC 2012


Andrew Savchenko, 09.03.2012 15:51:
> On Fri, 09 Mar 2012 15:31:53 +0100 Alexander Kriegisch wrote:
>> Maybe it would be a good idea to either use a commercial
>> certificate or, if that is too expensive, continue using the
>> self-signed one, but only to log in and after you are logged in.
> 
> Commercial certificate is not necessary, CACert certificates are 
> acknowledged by any sane browser and may be obtained for free after 
> registration.

One more comment about this statement, because it surprised me and I
just got around to testing it today. The result is as it always was: no
browser I tested (current release versions of Chrome, FF, Opera, IE)
trusts the CAcert root certificate, every single one shows a warning.
Anything else would have been a surprise to me. Getting automatic trust
on such certificates would be a security nightmare. Even with WOT
notaries it is not much better.



More information about the mc-devel mailing list