Forced HTTPS on web site
Andrew Savchenko
bircoph at gmail.com
Wed Mar 14 14:32:28 UTC 2012
Hello,
On Wed, 14 Mar 2012 12:33:49 +0100 Alexander Kriegisch wrote:
> Andrew Savchenko, 09.03.2012 15:51:
[...]
> > Commercial certificate is not necessary, CACert certificates are
> > acknowledged by any sane browser and may be obtained for free after
> > registration.
>
> One more comment about this statement, because it surprised me and I
> just got around to testing it today. The result is as it always was: no
> browser I tested (current release versions of Chrome, FF, Opera, IE)
> trusts the CAcert root certificate, every single one shows a warning.
This does not depend on your browser, but depends on your system SSL
configuration. On all my boxes Gentoo is used. File
/usr/share/ca-certificates/cacert.org/cacert.org.crt
is included in the standard app-misc/ca-certificates package taken by
Gentoo from Debian:
http://packages.debian.org/sid/ca-certificates
That's why at least in these distributions it will work, Ubuntu
probably follows. If not, update your system. If you have no
system-wide certificate lists, than your system is broken. If your
distribution does not support this certificate, then ask maintainers
to fix this problem.
> Anything else would have been a surprise to me.
Then install Debian or Gentoo and be surprised
> Getting automatic trust
> on such certificates would be a security nightmare. Even with WOT
> notaries it is not much better.
Please prove this statement, if you are implying that free of change
CA is less secure. Payment of some little amount of money has nothing
to do with CA security (but has with CA welfare).
Currently used SSL scheme has very little security, its more like an
illusion of security, because any of about 200 CA can sign certificate
any domain. And use of commercial CA changes nothing. Recent events
with Comodo and DigiNotar CAs prove my statement.
The real solution will be use of web of trust with high number of
minimal certificate signers. Only when CA is signed with multiple CAs
(let's say ten) than you may trust it. But current SSL scheme is
simply not capable for this kind of work.
Best regards,
Andrew Savchenko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.midnight-commander.org/pipermail/mc-devel/attachments/20120314/a9cc0dee/attachment.asc>
More information about the mc-devel
mailing list