Forced HTTPS on web site

Alexander Kriegisch Alexander at Kriegisch.name
Wed Mar 14 15:23:44 UTC 2012


Andrew Savchenko, 14.03.2012 15:32:
> On Wed, 14 Mar 2012 12:33:49 +0100 Alexander Kriegisch wrote:
>> Andrew Savchenko, 09.03.2012 15:51:
> [...]
>>> Commercial certificate is not necessary, CACert certificates are 
>>> acknowledged by any sane browser and may be obtained for free after 
>>> registration.
>>
>> One more comment about this statement, because it surprised me and I
>> just got around to testing it today. The result is as it always was: no
>> browser I tested (current release versions of Chrome, FF, Opera, IE)
>> trusts the CAcert root certificate, every single one shows a warning.
> 
> This does not depend on your browser, but depends on your system SSL
> configuration. On all my boxes Gentoo is used. File
> /usr/share/ca-certificates/cacert.org/cacert.org.crt
> is included in the standard app-misc/ca-certificates package taken by
> Gentoo from Debian:
> http://packages.debian.org/sid/ca-certificates
> 
> That's why at least in these distributions it will work, Ubuntu
> probably follows. If not, update your system. If you have no
> system-wide certificate lists, than your system is broken. If your
> distribution does not support this certificate, then ask maintainers
> to fix this problem.
> 
>> Anything else would have been a surprise to me.
> 
> Then install Debian or Gentoo and be surprised
> 
>> Getting automatic trust
>> on such certificates would be a security nightmare. Even with WOT
>> notaries it is not much better.
> 
> Please prove this statement, if you are implying that free of change
> CA is less secure. Payment of some little amount of money has nothing
> to do with CA security (but has with CA welfare).
> 
> Currently used SSL scheme has very little security, its more like an
> illusion of security, because any of about 200 CA can sign certificate
> any domain. And use of commercial CA changes nothing. Recent events
> with Comodo and DigiNotar CAs prove my statement.
> 
> The real solution will be use of web of trust with high number of
> minimal certificate signers. Only when CA is signed with multiple CAs
> (let's say ten) than you may trust it. But current SSL scheme is
> simply not capable for this kind of work.

I do not feel so inclined to fight with you or try to prove anything to
you. There is also no need to lecture me on how encryption, WOT or
similar works. I have used PGP (incl. WOT among my personal friends)
since early 1990s and also implemented RSA from scratch back then by
myself, just to see how it works.

I am just wondering what kind of world you think you live in. Just
because something works on your specific OS and browser, it does not
mean that everything outside is not "sane" or "misconfigured" or
"broken" in any way.

FYI: I use Windows XP Pro SP1. And I do like to rely on the respective
browsers' built-in root certificate lists.

Let's close this topic, okay? It is really not worth fighting about.
Just note that not everything is wrong or broken which is different from
your setup.



More information about the mc-devel mailing list